Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1431817
MD5:6795efba98699a0cae3c4f729b83ace9
SHA1:a46482db507cf67307880919b85dc2187d2a2512
SHA256:026387aa4411dac1107e403fb44fa90c5a34ec5ab0068af13e3f8f9f0b0f46cd
Tags:exe
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5688 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6795EFBA98699A0CAE3C4F729B83ACE9)
    • schtasks.exe (PID: 576 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 2704 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 828 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 1948 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 3160 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 6795EFBA98699A0CAE3C4F729B83ACE9)
    • WerFault.exe (PID: 1568 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1152 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 1896 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 6795EFBA98699A0CAE3C4F729B83ACE9)
  • RageMP131.exe (PID: 6984 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 6795EFBA98699A0CAE3C4F729B83ACE9)
  • RageMP131.exe (PID: 4204 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 6795EFBA98699A0CAE3C4F729B83ACE9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\HCwgibNvhQ3gDx_DWG1aNau.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    C:\Users\user\AppData\Local\Temp\1YMX7UxRgh318S1TWXmjgUx.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.2326694552.0000000005DC4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
          00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
            00000006.00000002.2333459442.00000000059B0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
              Process Memory Space: file.exe PID: 5688JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                Click to see the 5 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 5688, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

                Snort Signatures

                Timestamp:04/25/24-20:36:02.824956
                SID:2046266
                Source Port:58709
                Destination Port:49708
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/25/24-20:36:09.524020
                SID:2046269
                Source Port:49708
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/25/24-20:36:02.835774
                SID:2046266
                Source Port:58709
                Destination Port:49709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/25/24-20:36:20.853335
                SID:2046266
                Source Port:58709
                Destination Port:49724
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/25/24-20:36:03.375523
                SID:2046267
                Source Port:58709
                Destination Port:49708
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/25/24-20:36:03.390482
                SID:2046267
                Source Port:58709
                Destination Port:49709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/25/24-20:36:00.328630
                SID:2049060
                Source Port:49705
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/25/24-20:36:23.977267
                SID:2046269
                Source Port:49724
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/25/24-20:36:00.782969
                SID:2046267
                Source Port:58709
                Destination Port:49705
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/25/24-20:36:00.533633
                SID:2046266
                Source Port:58709
                Destination Port:49705
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/25/24-20:36:14.063364
                SID:2046269
                Source Port:49714
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/25/24-20:36:07.671962
                SID:2046269
                Source Port:49705
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:04/25/24-20:36:10.545583
                SID:2046266
                Source Port:58709
                Destination Port:49714
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://193.233.132.167/cost/lenin.exeURL Reputation: Label: malware
                Source: http://193.233.132.167/cost/go.exeAvira URL Cloud: Label: malware
                Source: http://193.233.132.167/cost/go.exe(iAvira URL Cloud: Label: malware
                Source: http://147.45.47.102:57893/hera/amadka.exeAvira URL Cloud: Label: malware
                Source: http://193.233.132.167/cost/go.exedka.exeAvira URL Cloud: Label: malware
                Source: http://193.233.132.167/cost/lenin.exeegentAvira URL Cloud: Label: malware
                Source: http://193.233.132.167/cost/go.exeerverAvira URL Cloud: Label: malware
                Source: http://193.233.132.167/cost/lenin.exeerH_Avira URL Cloud: Label: malware
                Multi AV Scanner detection for domain / URL
                Source: http://193.233.132.167/cost/go.exeVirustotal: Detection: 24%Perma Link
                Source: http://147.45.47.102:57893/hera/amadka.exeVirustotal: Detection: 18%Perma Link
                Source: http://147.45.47.102:57893/hera/amadka.exeopVirustotal: Detection: 18%Perma Link
                Source: http://193.233.132.167/cost/go.exedka.exeVirustotal: Detection: 25%Perma Link
                Multi AV Scanner detection for dropped file
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeVirustotal: Detection: 39%Perma Link
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeReversingLabs: Detection: 31%
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeReversingLabs: Detection: 31%
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeVirustotal: Detection: 39%Perma Link
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJoe Sandbox ML: detected
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00863EB0 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,0_2_00863EB0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00303EB0 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,6_2_00303EB0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49710 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49711 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49712 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49713 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49735 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49736 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49737 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49738 version: TLS 1.2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_0087D2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00831A60 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,0_2_00831A60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008633B0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_008633B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00883B20 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_00883B20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D1F8C FindClose,FindFirstFileExW,GetLastError,0_2_007D1F8C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D2012 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_007D2012
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008313F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_008313F0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0031D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,6_2_0031D2B0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_003033B0 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,6_2_003033B0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002D1A60 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,6_2_002D1A60
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00323B20 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,6_2_00323B20
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00271F8C FindClose,FindFirstFileExW,GetLastError,6_2_00271F8C
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00272012 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,6_2_00272012
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002D13F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,6_2_002D13F0

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49705 -> 147.45.47.93:58709
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49705
                Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49705
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49708
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49709
                Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49708
                Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49709
                Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49705 -> 147.45.47.93:58709
                Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49708 -> 147.45.47.93:58709
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49714
                Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49714 -> 147.45.47.93:58709
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49724
                Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49724 -> 147.45.47.93:58709
                Connects to many ports of the same IP (likely port scanning)
                Source: global trafficTCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
                Source: global trafficTCP traffic: 192.168.2.5:49705 -> 147.45.47.93:58709
                Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                Source: Joe Sandbox ViewIP Address: 147.45.47.93 147.45.47.93
                Source: Joe Sandbox ViewIP Address: 104.26.5.15 104.26.5.15
                Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: unknownDNS query: name: ipinfo.io
                Source: unknownDNS query: name: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/185.152.66.230 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=185.152.66.230 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/185.152.66.230 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/185.152.66.230 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=185.152.66.230 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=185.152.66.230 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/185.152.66.230 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=185.152.66.230 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/185.152.66.230 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=185.152.66.230 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00865940 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,FreeAddrInfoW,WSACleanup,FreeAddrInfoW,0_2_00865940
                Source: global trafficHTTP traffic detected: GET /widget/demo/185.152.66.230 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=185.152.66.230 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/185.152.66.230 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/185.152.66.230 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=185.152.66.230 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=185.152.66.230 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/185.152.66.230 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=185.152.66.230 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/185.152.66.230 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=185.152.66.230 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficDNS traffic detected: DNS query: ipinfo.io
                Source: global trafficDNS traffic detected: DNS query: db-ip.com
                Source: file.exe, 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
                Source: MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe&i
                Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe42359
                Source: file.exe, 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeop
                Source: file.exe, 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exe
                Source: MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exe(i
                Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exedka.exe
                Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exeerver
                Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exe
                Source: MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exeegent
                Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exeerH_
                Source: Amcache.hve.11.drString found in binary or memory: http://upx.sf.net
                Source: file.exe, 00000000.00000003.2033168714.0000000002E70000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2331180596.000000000039B000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2059493244.0000000001020000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2059966123.0000000000FA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2129853471.000000000039B000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000003.2138507545.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2430993688.0000000000F5B000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000003.2228346695.00000000016E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2531991205.0000000000F5B000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
                Source: file.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: file.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: file.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: file.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: RageMP131.exe, 00000010.00000003.2455967104.00000000019EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/
                Source: RageMP131.exe, 00000008.00000002.2431987171.000000000191E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000003.2455967104.0000000001A32000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.0000000001A32000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.00000000019E3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000003.2455967104.00000000019EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=185.152.66.230
                Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=185.152.66.230Xl
                Source: MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=185.152.66.230i
                Source: file.exe, 00000000.00000002.2325278165.0000000001400000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2431987171.000000000191E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=185.152.66.230
                Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=185.152.66.230.datapacket.com
                Source: RageMP131.exe, 00000010.00000002.2533471546.00000000019E3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000003.2455967104.00000000019EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=185.152.66.230P
                Source: file.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: file.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: file.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: RageMP131.exe, 00000008.00000002.2431987171.000000000191E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2431987171.00000000018D3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.000000000198F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.00000000019E3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.00000000019CC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000003.2455967104.00000000019EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
                Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001109000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/1
                Source: RageMP131.exe, 00000010.00000002.2533471546.00000000019C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/6K
                Source: file.exe, 00000000.00000002.2325278165.00000000013EF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2332544604.0000000001109000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2431987171.000000000191E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.00000000019CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
                Source: RageMP131.exe, 00000008.00000002.2431987171.00000000018D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/O
                Source: file.exe, 00000000.00000003.2033168714.0000000002E70000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2331180596.000000000039B000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2059493244.0000000001020000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2059966123.0000000000FA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2129853471.000000000039B000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000003.2138507545.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2430993688.0000000000F5B000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000003.2228346695.00000000016E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2531991205.0000000000F5B000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
                Source: MPGPH131.exe, 00000006.00000002.2332544604.00000000010D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/jM
                Source: RageMP131.exe, 00000008.00000002.2431987171.000000000190F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/m
                Source: RageMP131.exe, 00000010.00000002.2533471546.000000000198F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/s
                Source: RageMP131.exe, 00000008.00000002.2431987171.00000000018EC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2431987171.0000000001915000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.00000000019CC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.00000000019AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/185.152.66.230
                Source: RageMP131.exe, 00000010.00000002.2533471546.00000000019AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/185.152.66.230q
                Source: file.exe, 00000000.00000002.2325278165.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2332544604.0000000001117000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.00000000019CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/185.152.66.230
                Source: RageMP131.exe, 00000008.00000002.2431987171.0000000001915000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/185.152.66.230Qd
                Source: D87fZN3R3jFeplaces.sqlite.7.drString found in binary or memory: https://support.mozilla.org
                Source: D87fZN3R3jFeplaces.sqlite.7.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: D87fZN3R3jFeplaces.sqlite.7.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
                Source: file.exe, 00000000.00000002.2326694552.0000000005DC4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2332544604.000000000109D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2333459442.00000000059B0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.0000000001087000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2431987171.000000000189E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.0000000001957000.00000004.00000020.00020000.00000000.sdmp, HCwgibNvhQ3gDx_DWG1aNau.zip.0.dr, 1YMX7UxRgh318S1TWXmjgUx.zip.6.drString found in binary or memory: https://t.me/RiseProSUPPORT
                Source: file.exe, 00000000.00000002.2325278165.000000000136E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT.tPVx
                Source: RageMP131.exe, 00000010.00000002.2533471546.0000000001957000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT3
                Source: RageMP131.exe, 00000008.00000002.2431987171.000000000191E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro
                Source: RageMP131.exe, 00000010.00000002.2533471546.00000000019E3000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr, passwords.txt.6.drString found in binary or memory: https://t.me/risepro_bot
                Source: MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot6.230
                Source: file.exe, 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot7
                Source: RageMP131.exe, 00000008.00000002.2431987171.000000000191E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.00000000019E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botisepro_bot
                Source: RageMP131.exe, 00000010.00000002.2533471546.00000000019E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botist
                Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botlatere_(
                Source: RageMP131.exe, 00000008.00000002.2431987171.000000000191E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botsA
                Source: file.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.drString found in binary or memory: https://www.ecosia.org/newtab/
                Source: file.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: file.exe, MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                Source: D87fZN3R3jFeplaces.sqlite.7.drString found in binary or memory: https://www.mozilla.org
                Source: D87fZN3R3jFeplaces.sqlite.7.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                Source: D87fZN3R3jFeplaces.sqlite.7.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                Source: file.exe, 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/-_p
                Source: file.exe, 00000000.00000003.2105638601.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115039621.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2114472164.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2122244297.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129153195.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108669470.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115593739.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2116658566.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2114154245.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2104422097.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107373820.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2105396441.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108284720.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2117337036.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2110479328.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103676294.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106893933.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2117645844.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2326694552.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2118084133.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2333535211.00000000059F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/a
                Source: D87fZN3R3jFeplaces.sqlite.7.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: file.exe, 00000000.00000003.2105638601.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115039621.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2114472164.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2122244297.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129153195.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108669470.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115593739.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2116658566.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2114154245.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2104422097.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107373820.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2105396441.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108284720.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2117337036.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2110479328.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103676294.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106893933.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2117645844.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2326694552.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2118084133.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2333535211.00000000059F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                Source: file.exe, 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                Source: file.exe, 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/e
                Source: file.exe, 00000000.00000003.2105638601.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115039621.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2114472164.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2122244297.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129153195.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108669470.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115593739.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2116658566.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2114154245.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2104422097.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107373820.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2105396441.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108284720.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2117337036.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2110479328.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103676294.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106893933.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2117645844.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2326694552.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2118084133.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2333535211.00000000059F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/irefox
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49710 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49711 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49712 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49713 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49735 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49736 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49737 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49738 version: TLS 1.2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008833A0 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,73B574A0,DeleteObject,DeleteObject,ReleaseDC,0_2_008833A0

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008980800_2_00898080
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008DC8D00_2_008DC8D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E001D0_2_007E001D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007AB8E00_2_007AB8E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008749B00_2_008749B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008361D00_2_008361D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00838A800_2_00838A80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087D2B00_2_0087D2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00831A600_2_00831A60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087C3E00_2_0087C3E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083CBF00_2_0083CBF0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F8BA00_2_007F8BA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00847D200_2_00847D20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0083AEC00_2_0083AEC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00833ED00_2_00833ED0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087B7E00_2_0087B7E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0081F7300_2_0081F730
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0082DF600_2_0082DF60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E40A00_2_008E40A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008D20C00_2_008D20C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DC9500_2_007DC950
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007DA9180_2_007DA918
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008221000_2_00822100
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008411300_2_00841130
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D71900_2_007D7190
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E31600_2_008E3160
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008E4AE00_2_008E4AE0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00884B900_2_00884B90
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007E035F0_2_007E035F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00830BA00_2_00830BA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008903500_2_00890350
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007CF5700_2_007CF570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F25FE0_2_007F25FE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F8E200_2_007F8E20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00841E400_2_00841E40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0088BFC00_2_0088BFC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0088CFC00_2_0088CFC0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0028001D6_2_0028001D
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_003380806_2_00338080
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002D61D06_2_002D61D0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0031D2B06_2_0031D2B0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0031C3E06_2_0031C3E0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002BF7306_2_002BF730
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0031B7E06_2_0031B7E0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0024B8E06_2_0024B8E0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0037C8D06_2_0037C8D0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_003149B06_2_003149B0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002D1A606_2_002D1A60
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002D8A806_2_002D8A80
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002DCBF06_2_002DCBF0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002E7D206_2_002E7D20
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002DAEC06_2_002DAEC0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002D3ED06_2_002D3ED0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002CDF606_2_002CDF60
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_003840A06_2_003840A0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_003720C06_2_003720C0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002E11306_2_002E1130
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002C21006_2_002C2100
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_003831606_2_00383160
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002771906_2_00277190
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0037F2806_2_0037F280
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_003303506_2_00330350
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0028035F6_2_0028035F
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0026F5706_2_0026F570
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002947AD6_2_002947AD
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0027A9186_2_0027A918
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0027C9506_2_0027C950
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0028DA746_2_0028DA74
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00385A406_2_00385A40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00384AE06_2_00384AE0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00298BA06_2_00298BA0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002D0BA06_2_002D0BA0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00324B906_2_00324B90
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0041FDB66_2_0041FDB6
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00298E206_2_00298E20
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002E1E406_2_002E1E40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0032CFC06_2_0032CFC0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0032BFC06_2_0032BFC0
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 007BACE0 appears 86 times
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 0025ACE0 appears 86 times
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 1948
                Source: RageMP131.exe.0.drStatic PE information: Number of sections : 12 > 10
                Source: MPGPH131.exe.0.drStatic PE information: Number of sections : 12 > 10
                Source: file.exeStatic PE information: Number of sections : 12 > 10
                Source: file.exeBinary or memory string: OriginalFilename vs file.exe
                Source: file.exe, 00000000.00000000.2029591798.000000000094A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe
                Source: file.exe, 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe
                Source: file.exeBinary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: ZLIB complexity 0.999460876105108
                Source: file.exeStatic PE information: Section: ZLIB complexity 0.9960345643939394
                Source: file.exeStatic PE information: Section: ZLIB complexity 1.0023871527777777
                Source: file.exeStatic PE information: Section: ZLIB complexity 0.9898745888157895
                Source: file.exeStatic PE information: Section: .reloc ZLIB complexity 1.5
                Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.999460876105108
                Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9960345643939394
                Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 1.0023871527777777
                Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9898745888157895
                Source: RageMP131.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
                Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.999460876105108
                Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9960345643939394
                Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 1.0023871527777777
                Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9898745888157895
                Source: MPGPH131.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@13/58@2/3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_0087D2B0
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3160
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_03
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5688
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1788:120:WilError_03
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\rage131MP.tmpJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exe, 00000000.00000003.2033168714.0000000002E70000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2331180596.000000000039B000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2059493244.0000000001020000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2059966123.0000000000FA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2129853471.000000000039B000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000003.2138507545.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2430993688.0000000000F5B000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000003.2228346695.00000000016E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2531991205.0000000000F5B000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: file.exe, 00000000.00000003.2033168714.0000000002E70000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2331180596.000000000039B000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2059493244.0000000001020000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2059966123.0000000000FA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2129853471.000000000039B000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000003.2138507545.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2430993688.0000000000F5B000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000003.2228346695.00000000016E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2531991205.0000000000F5B000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: file.exe, 00000000.00000003.2104608499.0000000005DF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2114472164.0000000005DE0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2142090491.00000000059FB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2148821408.0000000005A05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2140859397.00000000059FB000.00000004.00000020.00020000.00000000.sdmp, OhQNgUJ0X5NgLogin Data.0.dr, 7PzLqHtz21igLogin Data For Account.6.dr, zvXv7gzjmXYkLogin Data For Account.0.dr, S0Pov5vdwAn3Login Data.6.dr, sdYAsTf3586cLogin Data.0.dr, NMxkTlMy11FaLogin Data.6.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: file.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 1948
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1152
                Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: d3d11.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: d3d10warp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: dxcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: devobj.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dll
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: file.exeStatic file information: File size 2270736 > 1048576
                Source: file.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x188600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_0086C630
                Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .vm_sec
                Source: file.exeStatic PE information: section name: .themida
                Source: file.exeStatic PE information: section name: .boot
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name: .vm_sec
                Source: RageMP131.exe.0.drStatic PE information: section name: .themida
                Source: RageMP131.exe.0.drStatic PE information: section name: .boot
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name: .vm_sec
                Source: MPGPH131.exe.0.drStatic PE information: section name: .themida
                Source: MPGPH131.exe.0.drStatic PE information: section name: .boot
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B39D2D push esi; mov dword ptr [esp], 0047292Eh0_2_00C12F43
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B39D2D push ebp; mov dword ptr [esp], esi0_2_00C12F57
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B39D2D push 21151430h; mov dword ptr [esp], ecx0_2_00C12F6F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B39D2D push 224624E2h; mov dword ptr [esp], edi0_2_00C12FF5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D3F49 push ecx; ret 0_2_007D3F5C
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005D9D2D push esi; mov dword ptr [esp], 0047292Eh6_2_006B2F43
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005D9D2D push ebp; mov dword ptr [esp], esi6_2_006B2F57
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005D9D2D push 21151430h; mov dword ptr [esp], ecx6_2_006B2F6F
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005D9D2D push 224624E2h; mov dword ptr [esp], edi6_2_006B2FF5
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00273F49 push ecx; ret 6_2_00273F5C
                Source: file.exeStatic PE information: section name: entropy: 7.999486852289058
                Source: file.exeStatic PE information: section name: .boot entropy: 7.949192596228493
                Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.999486852289058
                Source: RageMP131.exe.0.drStatic PE information: section name: .boot entropy: 7.949192596228493
                Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.999486852289058
                Source: MPGPH131.exe.0.drStatic PE information: section name: .boot entropy: 7.949192596228493
                Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
                Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Found stalling execution ending in API Sleep call
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeStalling execution: Execution stalls by calling Sleep
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSystem information queried: FirmwareTableInformation
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSystem information queried: FirmwareTableInformation
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                Source: C:\Users\user\Desktop\file.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-50128
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-50222
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6624Thread sleep count: 163 > 30
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4524Thread sleep count: 85 > 30
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4524Thread sleep count: 149 > 30
                Source: C:\Users\user\Desktop\file.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_0087D2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00831A60 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,0_2_00831A60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008633B0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_008633B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00883B20 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_00883B20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D1F8C FindClose,FindFirstFileExW,GetLastError,0_2_007D1F8C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D2012 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_007D2012
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008313F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_008313F0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0031D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,6_2_0031D2B0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_003033B0 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,6_2_003033B0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002D1A60 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,6_2_002D1A60
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00323B20 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,6_2_00323B20
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00271F8C FindClose,FindFirstFileExW,GetLastError,6_2_00271F8C
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00272012 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,6_2_00272012
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002D13F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,6_2_002D13F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_0087D2B0
                Source: MPGPH131.exe, 00000006.00000002.2332544604.000000000116E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_C7C08627:
                Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: formVMware20,11696428655
                Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ccount.microsoft.com/profileVMware20,11696428655u
                Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT service, encrypted_token FROM token_servicerr global passwords blocklistVMware20,11696428655
                Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
                Source: MPGPH131.exe, 00000006.00000003.2149215743.0000000005A0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696
                Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r global passwords blocklistVMware20,11696428655
                Source: MPGPH131.exe, 00000006.00000003.2149215743.0000000005A0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696428655
                Source: MPGPH131.exe, 00000007.00000002.2132463206.0000000001080000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
                Source: Amcache.hve.11.drBinary or memory string: vmci.sys
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: AMC password management pageVMware20,11696428655
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: Amcache.hve.11.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: MPGPH131.exe, 00000006.00000003.2149215743.0000000005A0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT name, value FROM autofillmain'.sqlite_masterr global passwords blocklistVMware20,11696428655
                Source: Amcache.hve.11.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: Amcache.hve.11.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.11.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: RageMP131.exe, 00000008.00000002.2431987171.00000000018EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&"_
                Source: RageMP131.exe, 00000008.00000003.2153200187.0000000001903000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}^
                Source: Amcache.hve.11.drBinary or memory string: VMware Virtual USB Mouse
                Source: RageMP131.exe, 00000010.00000002.2533471546.00000000019B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: discord.comVMware20,11696428655f
                Source: RageMP131.exe, 00000010.00000002.2533471546.00000000019B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: MPGPH131.exe, 00000006.00000003.2149215743.0000000005A0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,116
                Source: Amcache.hve.11.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: MPGPH131.exe, 00000006.00000002.2332544604.000000000116E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_C7C08627
                Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: Amcache.hve.11.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rootpagecomVMware20,11696428655o
                Source: Amcache.hve.11.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin`
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: Amcache.hve.11.drBinary or memory string: \driver\vmci,\driver\pci
                Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pageformVMware20,11696428655
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: MPGPH131.exe, 00000006.00000003.2149215743.0000000005A0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428H
                Source: Amcache.hve.11.drBinary or memory string: VMware
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: global block list test formVMware20,11696428655
                Source: Amcache.hve.11.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: file.exe, 00000000.00000002.2325278165.0000000001400000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2325278165.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2332544604.00000000010EB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010D4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2431987171.00000000018EC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2431987171.000000000191E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.00000000019E3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000003.2455967104.00000000019EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: MPGPH131.exe, 00000006.00000003.2153261936.000000000117C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}lfons\AppData\Local\NVIDIA Corporation\NVIDIA GeForce Experience\*
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: RageMP131.exe, 00000010.00000003.2256184432.00000000019B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: MPGPH131.exe, 00000006.00000003.2149215743.0000000005A0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: eVMware20,11696428655
                Source: Amcache.hve.11.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,1169642865
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,116968
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: Amcache.hve.11.drBinary or memory string: VMware20,1
                Source: file.exe, 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\Profiles\v6zchhhv.default-release\signons.sqlite.nl,n.[
                Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.11.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.11.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ra Change Transaction PasswordVMware20,11696428655
                Source: Amcache.hve.11.drBinary or memory string: VMware VMCI Bus Device
                Source: MPGPH131.exe, 00000006.00000003.2149342197.0000000005A18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .bankofamerica.comVMware20,11696
                Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o.inVMware20,11696428655~
                Source: file.exe, 00000000.00000002.2325845259.000000000145A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}W?
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: Amcache.hve.11.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: RageMP131.exe, 00000010.00000002.2533471546.0000000001950000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
                Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.11.drBinary or memory string: VMware, Inc.
                Source: Amcache.hve.11.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.11.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696428655
                Source: Amcache.hve.11.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: comVMware20,11696428655o
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: Amcache.hve.11.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: XQcivVrU5A5HWeb Data.0.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: Amcache.hve.11.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tive Brokers - non-EU EuropeVMware20,11696428655
                Source: file.exe, 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}y,h.uy,i.uy,j.uy,k.uy,l.uy,m.uy,n.uy,o.uy,p.uy,q.uy,r.uy,s.uy,t.uy,u.uy,v.uy,w.uy,x.uy,y.uy,z.uy,a
                Source: file.exe, 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}gramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows8ZAAAA``/
                Source: Amcache.hve.11.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: MPGPH131.exe, 00000006.00000003.2149215743.0000000005A0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,1169642865@
                Source: file.exe, 00000000.00000002.2325278165.0000000001400000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
                Source: RageMP131.exe, 00000010.00000002.2533471546.00000000019E3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000003.2455967104.00000000019EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW>
                Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,116`
                Source: RageMP131.exe, 00000010.00000002.2533471546.000000000199F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D8A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_007D8A54
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_0086C630
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00864130 mov eax, dword ptr fs:[00000030h]0_2_00864130
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00831A60 mov eax, dword ptr fs:[00000030h]0_2_00831A60
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00304130 mov eax, dword ptr fs:[00000030h]6_2_00304130
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002D1A60 mov eax, dword ptr fs:[00000030h]6_2_002D1A60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00886E20 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,0_2_00886E20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D8A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_007D8A54
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007D450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_007D450D
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0027450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0027450D
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00278A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00278A54

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Contains functionality to inject threads in other processes
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0086C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_0086C630
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0030C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,6_2_0030C630
                Source: C:\Users\user\Desktop\file.exeCode function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_0087D2B0
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_007F31B8
                Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_007EB1A3
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_007F32E1
                Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_007F2B48
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_007F33E7
                Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_007F34BD
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_007F2D4D
                Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_007F2DF4
                Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_007F2E3F
                Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_007F2EDA
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_007F2F65
                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_007EB726
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,6_2_0031D2B0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,6_2_0028B1A3
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,6_2_002931B8
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_002932E1
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,6_2_002933E7
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_002934BD
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,6_2_0028B726
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,6_2_00292B48
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,6_2_00292D4D
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,6_2_00292DF4
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,6_2_00292E3F
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,6_2_00292EDA
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,6_2_00292F65
                Source: C:\Users\user\Desktop\file.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_0087D2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_0087D2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_0087D2B0
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Amcache.hve.11.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.11.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.11.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.11.drBinary or memory string: MsMpEng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected RisePro Stealer
                Source: Yara matchFile source: 00000000.00000002.2326694552.0000000005DC4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2333459442.00000000059B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5688, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 3160, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 1896, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 6984, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\HCwgibNvhQ3gDx_DWG1aNau.zip, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1YMX7UxRgh318S1TWXmjgUx.zip, type: DROPPED
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: file.exe, 00000000.00000003.2161978474.0000000001458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\walletsni
                Source: file.exe, 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
                Source: file.exe, 00000000.00000003.2161978474.0000000001458000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxxs
                Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                Source: file.exe, 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
                Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                Source: file.exe, 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
                Source: file.exe, 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
                Source: file.exe, 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                Source: file.exe, 00000000.00000002.2325278165.0000000001400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
                Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                Source: file.exe, 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live$
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENTJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\formhistory.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENTJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENTJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\places.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\signons.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.jsonJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENTJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: Yara matchFile source: 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5688, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 3160, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected RisePro Stealer
                Source: Yara matchFile source: 00000000.00000002.2326694552.0000000005DC4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2333459442.00000000059B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5688, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 3160, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 1896, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 6984, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\HCwgibNvhQ3gDx_DWG1aNau.zip, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1YMX7UxRgh318S1TWXmjgUx.zip, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		1
                Scheduled Task/Job                		11
                Process Injection                		3
                Obfuscated Files or Information                		LSASS Memory1
                Account Discovery                		Remote Desktop Protocol2
                Data from Local System                		21
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Scheduled Task/Job                		1
                Registry Run Keys / Startup Folder                		1
                Scheduled Task/Job                		2
                Software Packing                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Screen Capture                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                Registry Run Keys / Startup Folder                		1
                DLL Side-Loading                		NTDS35
                System Information Discovery                		Distributed Component Object Model1
                Email Collection                		2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Masquerading                		LSA Secrets1
                Query Registry                		SSHKeylogging13
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts13
                Virtualization/Sandbox Evasion                		Cached Domain Credentials351
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                Process Injection                		DCSync13
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                System Network Configuration Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431817 Sample: file.exe Startdate: 25/04/2024 Architecture: WINDOWS Score: 100 39 ipinfo.io 2->39 41 db-ip.com 2->41 49 Snort IDS alert for network traffic 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Antivirus detection for URL or domain 2->53 55 4 other signatures 2->55 8 file.exe 1 63 2->8         started        13 MPGPH131.exe 5 55 2->13         started        15 MPGPH131.exe 7 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 43 147.45.47.93, 49705, 49708, 49709 FREE-NET-ASFREEnetEU Russian Federation 8->43 45 ipinfo.io 34.117.186.192, 443, 49706, 49710 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->45 47 db-ip.com 104.26.5.15, 443, 49707, 49712 CLOUDFLARENETUS United States 8->47 31 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->31 dropped 33 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->33 dropped 35 C:\Users\user\...\HCwgibNvhQ3gDx_DWG1aNau.zip, Zip 8->35 dropped 57 Query firmware table information (likely to detect VMs) 8->57 59 Tries to steal Mail credentials (via file / registry access) 8->59 61 Found many strings related to Crypto-Wallets (likely being stolen) 8->61 73 2 other signatures 8->73 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        23 WerFault.exe 8->23         started        37 C:\Users\user\...\1YMX7UxRgh318S1TWXmjgUx.zip, Zip 13->37 dropped 63 Multi AV Scanner detection for dropped file 13->63 65 Machine Learning detection for dropped file 13->65 67 Found stalling execution ending in API Sleep call 13->67 25 WerFault.exe 13->25         started        69 Tries to harvest and steal browser information (history, passwords, etc) 15->69 71 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->71 file6 signatures7 process8 process9 27 conhost.exe 19->27         started        29 conhost.exe 21->29         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe100%Joe Sandbox ML
                C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML
                C:\ProgramData\MPGPH131\MPGPH131.exe39%VirustotalBrowse
                C:\ProgramData\MPGPH131\MPGPH131.exe32%ReversingLabs
                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe32%ReversingLabs
                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe39%VirustotalBrowse

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://193.233.132.167/cost/lenin.exe100%URL Reputationmalware
                http://193.233.132.167/cost/go.exe100%Avira URL Cloudmalware
                http://193.233.132.167/cost/go.exe(i100%Avira URL Cloudmalware
                http://147.45.47.102:57893/hera/amadka.exe423590%Avira URL Cloudsafe
                http://147.45.47.102:57893/hera/amadka.exe&i0%Avira URL Cloudsafe
                http://147.45.47.102:57893/hera/amadka.exe100%Avira URL Cloudmalware
                http://193.233.132.167/cost/go.exe25%VirustotalBrowse
                http://147.45.47.102:57893/hera/amadka.exe18%VirustotalBrowse
                http://193.233.132.167/cost/go.exedka.exe100%Avira URL Cloudmalware
                http://147.45.47.102:57893/hera/amadka.exeop0%Avira URL Cloudsafe
                http://193.233.132.167/cost/lenin.exeegent100%Avira URL Cloudmalware
                http://193.233.132.167/cost/go.exeerver100%Avira URL Cloudmalware
                http://193.233.132.167/cost/lenin.exeerH_100%Avira URL Cloudmalware
                http://147.45.47.102:57893/hera/amadka.exeop18%VirustotalBrowse
                http://193.233.132.167/cost/go.exedka.exe26%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ipinfo.io
                		34.117.186.192
                		truefalse
                  		high
                  db-ip.com
                  		104.26.5.15
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://ipinfo.io/widget/demo/185.152.66.230false
                      		high
                      https://db-ip.com/demo/home.php?s=185.152.66.230false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.drfalse
                          		high
                          https://db-ip.com:443/demo/home.php?s=185.152.66.230PRageMP131.exe, 00000010.00000002.2533471546.00000000019E3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000003.2455967104.00000000019EB000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.drfalse
                              		high
                              http://147.45.47.102:57893/hera/amadka.exefile.exe, 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmpfalse
                              • 18%, Virustotal, Browse
                              • Avira URL Cloud: malware
                              		unknown
                              http://147.45.47.102:57893/hera/amadka.exe42359MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://ipinfo.io/6KRageMP131.exe, 00000010.00000002.2533471546.00000000019C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://db-ip.com/RageMP131.exe, 00000010.00000003.2455967104.00000000019EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://147.45.47.102:57893/hera/amadka.exe&iMPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.drfalse
                                    		high
                                    http://193.233.132.167/cost/go.exe(iMPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://t.me/riseproRageMP131.exe, 00000008.00000002.2431987171.000000000191E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://193.233.132.167/cost/go.exefile.exe, 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmptrue
                                      • 25%, Virustotal, Browse
                                      • Avira URL Cloud: malware
                                      		unknown
                                      https://db-ip.com:443/demo/home.php?s=185.152.66.230file.exe, 00000000.00000002.2325278165.0000000001400000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2431987171.000000000191E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.drfalse
                                          		high
                                          https://ipinfo.io/sRageMP131.exe, 00000010.00000002.2533471546.000000000198F000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://ipinfo.io:443/widget/demo/185.152.66.230QdRageMP131.exe, 00000008.00000002.2431987171.0000000001915000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://t.me/risepro_botisepro_botRageMP131.exe, 00000008.00000002.2431987171.000000000191E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.00000000019E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://147.45.47.102:57893/hera/amadka.exeopfile.exe, 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • 18%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://t.me/risepro_bot7file.exe, 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://193.233.132.167/cost/lenin.exeMPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmptrue
                                                  • URL Reputation: malware
                                                  		unknown
                                                  https://ipinfo.io/mRageMP131.exe, 00000008.00000002.2431987171.000000000190F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ipinfo.io/widget/demo/185.152.66.230qRageMP131.exe, 00000010.00000002.2533471546.00000000019AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://t.me/RiseProSUPPORT.tPVxfile.exe, 00000000.00000002.2325278165.000000000136E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://193.233.132.167/cost/lenin.exeegentMPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        https://db-ip.com:443/demo/home.php?s=185.152.66.230.datapacket.comMPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://t.me/risepro_bot6.230MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://t.me/RiseProSUPPORT3RageMP131.exe, 00000010.00000002.2533471546.0000000001957000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.drfalse
                                                                		high
                                                                https://ipinfo.io/ORageMP131.exe, 00000008.00000002.2431987171.00000000018D3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dllfile.exe, 00000000.00000003.2033168714.0000000002E70000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2331180596.000000000039B000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2059493244.0000000001020000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2059966123.0000000000FA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2129853471.000000000039B000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000003.2138507545.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2430993688.0000000000F5B000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000003.2228346695.00000000016E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2531991205.0000000000F5B000.00000040.00000001.01000000.00000006.sdmpfalse
                                                                    		high
                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.drfalse
                                                                      		high
                                                                      http://193.233.132.167/cost/go.exedka.exeMPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • 26%, Virustotal, Browse
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      http://193.233.132.167/cost/go.exeerverMPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      http://upx.sf.netAmcache.hve.11.drfalse
                                                                        		high
                                                                        https://t.me/RiseProSUPPORTfile.exe, 00000000.00000002.2326694552.0000000005DC4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2332544604.000000000109D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2333459442.00000000059B0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.0000000001087000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2431987171.000000000189E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.0000000001957000.00000004.00000020.00020000.00000000.sdmp, HCwgibNvhQ3gDx_DWG1aNau.zip.0.dr, 1YMX7UxRgh318S1TWXmjgUx.zip.6.drfalse
                                                                          		high
                                                                          https://www.ecosia.org/newtab/file.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.drfalse
                                                                            		high
                                                                            https://ipinfo.io/Mozilla/5.0file.exe, 00000000.00000002.2325278165.00000000013EF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2332544604.0000000001109000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2431987171.000000000191E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.00000000019CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brD87fZN3R3jFeplaces.sqlite.7.drfalse
                                                                                		high
                                                                                https://t.me/risepro_botistRageMP131.exe, 00000010.00000002.2533471546.00000000019E3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.drfalse
                                                                                    		high
                                                                                    https://db-ip.com/demo/home.php?s=185.152.66.230iMPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://t.me/risepro_botRageMP131.exe, 00000010.00000002.2533471546.00000000019E3000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr, passwords.txt.6.drfalse
                                                                                        		high
                                                                                        https://ipinfo.io/RageMP131.exe, 00000008.00000002.2431987171.000000000191E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2431987171.00000000018D3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.000000000198F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.00000000019E3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.00000000019CC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000003.2455967104.00000000019EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://ipinfo.io/1MPGPH131.exe, 00000006.00000002.2332544604.0000000001109000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://www.maxmind.com/en/locate-my-ip-addressfile.exe, MPGPH131.exefalse
                                                                                              		high
                                                                                              https://db-ip.com/demo/home.php?s=185.152.66.230XlMPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://ipinfo.io:443/widget/demo/185.152.66.230file.exe, 00000000.00000002.2325278165.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2332544604.0000000001117000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.00000000019CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBLD87fZN3R3jFeplaces.sqlite.7.drfalse
                                                                                                    		high
                                                                                                    https://t.me/risepro_botsARageMP131.exe, 00000008.00000002.2431987171.000000000191E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.winimage.com/zLibDllfile.exe, 00000000.00000003.2033168714.0000000002E70000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2331180596.000000000039B000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2059493244.0000000001020000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2059966123.0000000000FA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2129853471.000000000039B000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000003.2138507545.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2430993688.0000000000F5B000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000003.2228346695.00000000016E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2531991205.0000000000F5B000.00000040.00000001.01000000.00000006.sdmpfalse
                                                                                                        		high
                                                                                                        https://t.me/risepro_botlatere_(MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://193.233.132.167/cost/lenin.exeerH_MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: malware
                                                                                                          		unknown
                                                                                                          https://support.mozilla.orgD87fZN3R3jFeplaces.sqlite.7.drfalse
                                                                                                            		high
                                                                                                            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.drfalse
                                                                                                              		high
                                                                                                              https://ipinfo.io/jMMPGPH131.exe, 00000006.00000002.2332544604.00000000010D1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high

                                                                                                                World Map of Contacted IPs

                                                                                                                • No. of IPs < 25%
                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                • 75% < No. of IPs

                                                                                                                Public IPs

                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                34.117.186.192
                                                                                                                		ipinfo.ioUnited States
                                                                                                                		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                                                                                147.45.47.93
                                                                                                                		unknownRussian Federation
                                                                                                                		2895FREE-NET-ASFREEnetEUtrue
                                                                                                                104.26.5.15
                                                                                                                		db-ip.comUnited States
                                                                                                                		13335CLOUDFLARENETUSfalse

                                                                                                                General Information

                                                                                                                Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                Analysis ID:1431817
                                                                                                                Start date and time:2024-04-25 20:35:07 +02:00
                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                Overall analysis duration:0h 9m 55s
                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                Report type:full
                                                                                                                Cookbook file name:default.jbs
                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                Number of analysed new started processes analysed:19
                                                                                                                Number of new started drivers analysed:0
                                                                                                                Number of existing processes analysed:0
                                                                                                                Number of existing drivers analysed:0
                                                                                                                Number of injected processes analysed:0
                                                                                                                Technologies:
                                                                                                                • HCA enabled
                                                                                                                • EGA enabled
                                                                                                                • AMSI enabled
                                                                                                                Analysis Mode:default
                                                                                                                Analysis stop reason:Timeout
                                                                                                                Sample name:file.exe
                                                                                                                Detection:MAL
                                                                                                                Classification:mal100.troj.spyw.evad.winEXE@13/58@2/3
                                                                                                                EGA Information:
                                                                                                                • Successful, ratio: 100%
                                                                                                                HCA Information:
                                                                                                                • Successful, ratio: 67%
                                                                                                                • Number of executed functions: 48
                                                                                                                • Number of non-executed functions: 0
                                                                                                                Cookbook Comments:
                                                                                                                • Found application associated with file extension: .exe

                                                                                                                Warnings

                                                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                • Excluded IPs from analysis (whitelisted): 52.168.117.173
                                                                                                                • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                Simulations

                                                                                                                Behavior and APIs

                                                                                                                TimeTypeDescription
                                                                                                                20:35:58AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                20:35:59Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                20:35:59Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                20:36:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                20:36:26API Interceptor2x Sleep call for process: WerFault.exe modified

                                                                                                                Joe Sandbox View / Context

                                                                                                                IPs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                34.117.186.192SecuriteInfo.com.Win32.Evo-gen.24318.16217.exeGet hashmaliciousUnknownBrowse
                                                                                                                • ipinfo.io/json
                                                                                                                SecuriteInfo.com.Win32.Evo-gen.28489.31883.exeGet hashmaliciousUnknownBrowse
                                                                                                                • ipinfo.io/json
                                                                                                                Raptor.HardwareService.Setup 1.msiGet hashmaliciousUnknownBrowse
                                                                                                                • ipinfo.io/ip
                                                                                                                Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                                                                                                                • ipinfo.io/
                                                                                                                Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                                                                                                                • ipinfo.io/
                                                                                                                w.shGet hashmaliciousXmrigBrowse
                                                                                                                • /ip
                                                                                                                Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                                                                                                                • ipinfo.io/ip
                                                                                                                Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                                                                                                                • ipinfo.io/ip
                                                                                                                uUsgzQ3DoW.exeGet hashmaliciousRedLineBrowse
                                                                                                                • ipinfo.io/ip
                                                                                                                8BZBgbeCcz.exeGet hashmaliciousRedLineBrowse
                                                                                                                • ipinfo.io/ip
                                                                                                                147.45.47.93file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                  file.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, RisePro Stealer, zgRATBrowse
                                                                                                                    ygm2mXUReY.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                      file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                        file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                          qk9TaBBxh8.exeGet hashmaliciousLummaC, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                            s2dwlCsA95.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                              SecuriteInfo.com.Win32.Evo-gen.15237.11182.exeGet hashmaliciousAmadey, RedLine, RisePro StealerBrowse
                                                                                                                                SecuriteInfo.com.Win64.Evo-gen.32634.31069.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                                                                                                                                  UeW2b6mU6Z.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                                                                    104.26.5.15SecuriteInfo.com.Win64.Evo-gen.17494.7440.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • api.db-ip.com/v2/free/127.0.0.1
                                                                                                                                    Nemty.exeGet hashmaliciousNemtyBrowse
                                                                                                                                    • api.db-ip.com/v2/free/84.17.52.2/countryName
                                                                                                                                    227.exeGet hashmaliciousNemtyBrowse
                                                                                                                                    • api.db-ip.com/v2/free/102.129.143.40/countryName

                                                                                                                                    Domains

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    ipinfo.iofile.exeGet hashmaliciousPureLog Stealer, RisePro Stealer, zgRATBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    http://crunchersflowdigital.comGet hashmaliciousUnknownBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    TeaiGames.exeGet hashmaliciousNovaSentinelBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    ShadowFury.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    ShadowFury.exeGet hashmaliciousUnknownBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    SOLkM5sa4R.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    xOiio3LmAO.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    db-ip.comfile.exeGet hashmaliciousPureLog Stealer, RisePro Stealer, zgRATBrowse
                                                                                                                                    • 172.67.75.166
                                                                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                    • 104.26.5.15
                                                                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                    • 104.26.5.15
                                                                                                                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                    • 172.67.75.166
                                                                                                                                    ygm2mXUReY.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                    • 172.67.75.166
                                                                                                                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                    • 172.67.75.166
                                                                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                    • 104.26.5.15
                                                                                                                                    2q45IEa3Ee.exeGet hashmaliciousLummaC, RisePro StealerBrowse
                                                                                                                                    • 104.26.5.15
                                                                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                    • 104.26.4.15
                                                                                                                                    SajWKdHxdF.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                    • 104.26.5.15

                                                                                                                                    ASNs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfile.exeGet hashmaliciousPureLog Stealer, RisePro Stealer, zgRATBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    0ar3q66pGv.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 34.116.69.95
                                                                                                                                    http://94.156.79.129/x86_64Get hashmaliciousUnknownBrowse
                                                                                                                                    • 34.117.121.53
                                                                                                                                    http://94.156.79.129/i686Get hashmaliciousUnknownBrowse
                                                                                                                                    • 34.117.121.53
                                                                                                                                    http://crunchersflowdigital.comGet hashmaliciousUnknownBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                    • 34.117.186.192
                                                                                                                                    https://i.imgur.com/EoTj4iI.pngGet hashmaliciousUnknownBrowse
                                                                                                                                    • 34.117.239.71
                                                                                                                                    https://i.imgur.com/VlAllek.pngGet hashmaliciousUnknownBrowse
                                                                                                                                    • 34.117.239.71
                                                                                                                                    https://tibusiness.cl/css/causarol.rarGet hashmaliciousUnknownBrowse
                                                                                                                                    • 34.117.188.166
                                                                                                                                    FREE-NET-ASFREEnetEUfile.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                    • 193.233.132.175
                                                                                                                                    uqGHhft2DO.elfGet hashmaliciousMiraiBrowse
                                                                                                                                    • 147.45.234.222
                                                                                                                                    file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                    • 193.233.132.169
                                                                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                    • 193.233.132.175
                                                                                                                                    957C4XK6Lt.exeGet hashmaliciousPhorpiexBrowse
                                                                                                                                    • 193.233.132.177
                                                                                                                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                    • 193.233.132.47
                                                                                                                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                    • 193.233.132.47
                                                                                                                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                    • 147.45.47.93
                                                                                                                                    file.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                                                    • 193.233.132.234
                                                                                                                                    file.exeGet hashmaliciousGlupteba, Mars Stealer, PureLog Stealer, Vidar, zgRATBrowse
                                                                                                                                    • 193.233.132.234
                                                                                                                                    CLOUDFLARENETUShttps://j4tpu.bpmsafelink.com/c/0aR4TTLkLUqplUI-2TrhdAGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                    • 104.17.25.14
                                                                                                                                    https://clc.li/bsLRUGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                    • 104.21.22.140
                                                                                                                                    https://sigtn.com////////utils/emt.cfm?client_id=9195153&campaign_id=73466&link=neoparts%E3%80%82com.br./dayo/fks6/TWFncm8uWXVkZWdvLkphdmllckBkZW1lLWdyb3VwLmNvbQ==$Get hashmaliciousFake Captcha, HTMLPhisherBrowse
                                                                                                                                    • 104.17.25.14
                                                                                                                                    file.exeGet hashmaliciousPureLog Stealer, RisePro Stealer, zgRATBrowse
                                                                                                                                    • 172.67.75.166
                                                                                                                                    ProconGO1121082800.LnK.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                    • 104.21.29.223
                                                                                                                                    o3KyzpE7F4.ps1Get hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                    • 172.67.74.152
                                                                                                                                    http://www.mh3solaroh.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                    • 104.17.246.203
                                                                                                                                    https://web.lehighvalleychamber.org/cwt/external/wcpages/referral.aspx?ReferralType=W&ProfileID=5337&ListingID=4065&CategoryID=74&SubCategoryID=0&url=//sanemedia.ca/owaow/yjyo8q/bWFyaWEud29qY2llY2hvd3NraUBjby5tb25tb3V0aC5uai51cw==Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                    • 172.67.69.226
                                                                                                                                    https://www.jottacloud.com/s/3542495a6cd3d7a4aafad5878d671fdee68Get hashmaliciousUnknownBrowse
                                                                                                                                    • 162.159.152.4
                                                                                                                                    http://email.wantyourfeedback.com/ls/click?upn=u001.PD4nPnyJUo8oiEzSkSGLgaBNAMtLp9U5nstWElDmnpXtySPOXSs4GxXhEZNYegDWlOpy_1gt1aDjd5mPVItYgazWgABkVm-2FZUH6kt1lIvkdtkRWsfoyQV18ixDvOX-2B0tU4ZH6SMN7PC0YJjM3gcvFPvh6CbZuFXlOBXf3FWLiJkpKJ7Hjba3S4-2FzhpmkR8VdprfK8GO3qSu-2BzqpIaLLC-2Bva9kOn7HY5B7OIgz5EOl88o1lnRSRpayTzqRzTSFhtg2Bi-2BI4dAZ7qHRbJ3vb9lcrxBKqAk13I-2BCAvndhSK1Vi4ubCjlp2xQlrXIHfzqmLiSPjl7tEmTsLYr99h3esBOPv8ASLIpf873P512I7xYEOjogT1gQCerfZNqh6K2IdWU6lDJ2r3wpU6ug02vU9Zslw4DYpuNNZQNVtap5mqv9Xf8D1PYQxYI5BK4owXOV2wEXeRIjST24XAw6EO9D1tdiGoHDRaxW2QofayefCuiW9Z191aML90svJWojHiQp1Fq-2BXFLiyEx8V1eLa7dixfJ23RRWtHvg1jOrHp7lqvXRA7dobs-3DGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                    • 172.67.223.170

                                                                                                                                    JA3 Fingerprints

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                    a0e9f5d64349fb13191bc781f81f42e1file.exeGet hashmaliciousPureLog Stealer, RisePro Stealer, zgRATBrowse
                                                                                                                                    • 104.26.5.15
                                                                                                                                    • 34.117.186.192
                                                                                                                                    SecuriteInfo.com.Win32.Evo-gen.19638.13648.exeGet hashmaliciousDBatLoaderBrowse
                                                                                                                                    • 104.26.5.15
                                                                                                                                    • 34.117.186.192
                                                                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 104.26.5.15
                                                                                                                                    • 34.117.186.192
                                                                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                    • 104.26.5.15
                                                                                                                                    • 34.117.186.192
                                                                                                                                    file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 104.26.5.15
                                                                                                                                    • 34.117.186.192
                                                                                                                                    Iu4csQ2rwX.msiGet hashmaliciousAsyncRATBrowse
                                                                                                                                    • 104.26.5.15
                                                                                                                                    • 34.117.186.192
                                                                                                                                    o7b91j8vnJ.exeGet hashmaliciousLummaCBrowse
                                                                                                                                    • 104.26.5.15
                                                                                                                                    • 34.117.186.192
                                                                                                                                    SHEOrder-10524.exeGet hashmaliciousRemcos, DBatLoaderBrowse
                                                                                                                                    • 104.26.5.15
                                                                                                                                    • 34.117.186.192
                                                                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                    • 104.26.5.15
                                                                                                                                    • 34.117.186.192
                                                                                                                                    https://56hytuti5.weebly.com/Get hashmaliciousUnknownBrowse
                                                                                                                                    • 104.26.5.15
                                                                                                                                    • 34.117.186.192

                                                                                                                                    Dropped Files

                                                                                                                                    No context

                                                                                                                                    Created / dropped Files

                                                                                                                                    C:\ProgramData\MPGPH131\MPGPH131.exe

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):2270736
                                                                                                                                    Entropy (8bit):7.922698187069996
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:49152:Pwr0j3Y/qI2SgJeK3pJ3uwkeUB+C+26jAaa7V03:PW0j3YSI2SgJeKj3tjUcC+26jAaMa
                                                                                                                                    MD5:6795EFBA98699A0CAE3C4F729B83ACE9
                                                                                                                                    SHA1:A46482DB507CF67307880919B85DC2187D2A2512
                                                                                                                                    SHA-256:026387AA4411DAC1107E403FB44FA90C5A34EC5AB0068AF13E3F8F9F0B0F46CD
                                                                                                                                    SHA-512:12D49B08FEC9DFC8EFCDDD9CFC7BDD3930EBC128F21667DA11FC5AB1B80BA5F153608460275CF4F71695ED9B8B91BDF35261A099314B7EA10B39F000EDA1A101
                                                                                                                                    Malicious:true
                                                                                                                                    Antivirus:
                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                    • Antivirus: Virustotal, Detection: 39%, Browse
                                                                                                                                    • Antivirus: ReversingLabs, Detection: 32%
                                                                                                                                    Reputation:low
                                                                                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L...^.%f...............'............X.P...........@...........................h......#...@.......................................... ........................h.................................................................@................... ............................ ..` Z{..........................@..@ 0I... ......................@... .....p......................@..@ ..... ...L..................@..B.vm_sec..@.......@...$..............@....idata...............d..............@....tls.................h...................rsrc........ .......j..............@..@.themida. 5.......... ..............`....boot.........P...... ..............`..`.reloc........h.......".

                                                                                                                                    C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):26
                                                                                                                                    Entropy (8bit):3.95006375643621
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_c7733ed6211f554fcfc5ee43638ebe35de626d7b_d1a40e08_31f9afae-1cd9-4f56-a64f-1215315a588c\Report.wer

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):65536
                                                                                                                                    Entropy (8bit):1.0531971279628916
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:xxxBlm7zT8DPC07ErhN6E6jjyZrofxjPzuiFhZ24IO826tB:xXDOTePJ7ErhAjLPzuiFhY4IO8pB
                                                                                                                                    MD5:122F940DF5DB7090D756D1880519B3CF
                                                                                                                                    SHA1:BF8DDE2AC2EAB5D61A22BC4B218403C3B01E3092
                                                                                                                                    SHA-256:6E6F865CC3F518E1ED6E36400FE28DF1DF6C2D6394BE83D603AF9FC327E99D14
                                                                                                                                    SHA-512:817917F056E1CA76528EB89C5870730DFD068CB188115620B0E9111768E679B7B49B7B6D4B626D21FBCD1AA188931A3FC9AA10A1CF01136407207D69F22F11EB
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:low
                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.4.3.7.7.4.5.0.1.5.4.7.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.4.3.7.7.4.9.3.9.0.9.0.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.f.9.a.f.a.e.-.1.c.d.9.-.4.f.5.6.-.a.6.4.f.-.1.2.1.5.3.1.5.a.5.8.8.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.b.e.2.d.a.1.2.-.b.9.8.d.-.4.a.0.2.-.9.e.2.3.-.5.5.a.e.7.0.3.e.1.0.5.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.r.o.s.s.D.e.v.i.c.e.S.e.t.t.i.n.g.s.H.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.5.8.-.0.0.0.1.-.0.0.1.4.-.f.c.c.9.-.e.3.6.a.3.f.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.6.7.a.b.c.f.8.d.6.c.2.5.2.9.7.e.d.9.7.2.3.e.f.1.6.c.3.8.f.3.6.0.0.0.0.0.9.1.0.!.0.0.0.0.a.4.6.4.8.2.d.b.5.0.7.c.f.6.7.3.0.7.8.8.0.9.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_58fad3732ffecccafd3e19178e69f9a63423f5_394a0634_de233a83-76a7-4005-9f01-53431517d840\Report.wer

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):65536
                                                                                                                                    Entropy (8bit):1.0477692421157836
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:DP3BC+ivsPXPS0LnaEE3jyZrosLZuzuiFhZ24IO82B:7RCTsvPZLnaXjyuzuiFhY4IO8W
                                                                                                                                    MD5:50B96B53F1205B969FFF94B8C85EBB3A
                                                                                                                                    SHA1:C9DED5B4976FE128505573AC9C57CBC4EDB7A880
                                                                                                                                    SHA-256:6A7C96FBCD87271F8DB3097A402449E6B0274B44CD7714CF669FFDF3648B462E
                                                                                                                                    SHA-512:4E4C6368670A4665CC96260828B3D1162A81ED5C0C69B1FD9410BD33641BCC0C9FB58C33B371814909D4028336142737072A23903A2F5F79D477353434651123
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:low
                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.4.3.7.7.0.6.2.3.6.0.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.4.3.7.7.1.0.6.1.1.0.4.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.e.2.3.3.a.8.3.-.7.6.a.7.-.4.0.0.5.-.9.f.0.1.-.5.3.4.3.1.5.1.7.d.8.4.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.8.f.8.6.3.7.3.-.7.c.e.2.-.4.3.5.e.-.b.7.c.c.-.3.c.6.b.3.4.8.e.9.9.0.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.r.o.s.s.D.e.v.i.c.e.S.e.t.t.i.n.g.s.H.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.3.8.-.0.0.0.1.-.0.0.1.4.-.9.7.3.2.-.7.3.6.9.3.f.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.6.7.a.b.c.f.8.d.6.c.2.5.2.9.7.e.d.9.7.2.3.e.f.1.6.c.3.8.f.3.6.0.0.0.0.0.9.1.0.!.0.0.0.0.a.4.6.4.8.2.d.b.5.0.7.c.f.6.7.3.0.7.8.8.0.9.1.9.b.8.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE18D.tmp.dmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Thu Apr 25 18:36:10 2024, 0x1205a4 type
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):113152
                                                                                                                                    Entropy (8bit):1.9317664069502896
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:384:3bFHw+BngDFtvVgikOq1LhrZeVQ39VS1LSqOawiub9df9KbauKs3a:LxtKFtvVgnWmS1Eiub9bs3
                                                                                                                                    MD5:6E2438F20256A9A50A0F1F4810EBB72D
                                                                                                                                    SHA1:1325A7D4912E268D148D1B78CB91752CA42AF015
                                                                                                                                    SHA-256:D248BABBB4E0B5378C1A1995F58ABB77A666FF94248A14E49550736484BAB386
                                                                                                                                    SHA-512:D616F3DD36D0C822BF7AB98AFD8BC7BE996C5A7079005201C10453A801538925B1019CDF52FC563892D71E9055A7E27479232B19918D3E9450978EE5CA64197B
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:low
                                                                                                                                    Preview:MDMP..a..... .........*f....................................l....#...........L..........`.......8...........T............J..@o...........#...........%..............................................................................eJ.......&......GenuineIntel............T.......8.....*f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE298.tmp.WERInternalMetadata.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):8368
                                                                                                                                    Entropy (8bit):3.697472332510983
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:R6l7wVeJpCT6WMc6YEIBSU9GTgmfB5gJjrpr+89bAmsfBgm:R6lXJQ6W6YEuSU9GTgmf/gJjRAFfz
                                                                                                                                    MD5:CFDBEF364D764198515BBD1EE305FA4D
                                                                                                                                    SHA1:0FA707640E777AEB24015E12A744E40874BD1565
                                                                                                                                    SHA-256:A1C9FD1C71815755D037034CD4AF23A744631BDD0E9DDF091A1B7F16BAF69B7F
                                                                                                                                    SHA-512:7810B20D8A071E30E9762AF0AFF5090F7CED065BB99FB354323E231092B6DD0DB85EC474363374B45C7043F858C23FE4E2257288277BFF06E5F87BCA232FD2C3
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.8.8.<./.P.i.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE2C8.tmp.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4698
                                                                                                                                    Entropy (8bit):4.506450043460758
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:cvIwWl8zsqNJg77aI9VSWpW8VYqYm8M4Jd7oFy+q8QxjnlBB+hffd:uIjfqnI77z7VmJBRPB+hnd
                                                                                                                                    MD5:2062EE7DE8C639ACAE8076323AF8C10E
                                                                                                                                    SHA1:E2399EC81573C176CB3DF96782C2FF1C4F759398
                                                                                                                                    SHA-256:18A445CAD893D5720DE19FAF2FFACD70E68AFEC63F5A47971ACC840DA0CCD37E
                                                                                                                                    SHA-512:88E5E2F4270EC72F4A930F5A6C5FD53183C2890CF867D78AA370A54D20AA32D03540DFA65B9AC8D03B59A73B1E6D709A822449A2ECEA66041427B04036EF412D
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="295778" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERF0C0.tmp.dmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Thu Apr 25 18:36:14 2024, 0x1205a4 type
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):112740
                                                                                                                                    Entropy (8bit):1.9240190142886622
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:384:btcrGfcsFtvYn6xUuw27jtKt3pR9Sir7rHJ7w9RbVVJSdxhWqD:b6CcsFtv7G9Qjkt3vsi+h2f
                                                                                                                                    MD5:ADEBCF41CB298CD13BCE138A388D7CCB
                                                                                                                                    SHA1:A5482CDDF717D1276C5098000BD61DBAE7E990F8
                                                                                                                                    SHA-256:266357D502B355447B124144E40970477DCFF1DF6509C6C846DD9AEE559A0655
                                                                                                                                    SHA-512:9568C9AFB7F6C5B7D94AA3D3425E9040ADC6C19570161474C4FBCD64190EDACE393405EF3C865CD3C677F622984229DB6A856741DD762751FCDB63D97DCD40C4
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:MDMP..a..... .........*f....................................l....#...........L..........`.......8...........T............I...n...........#...........%..............................................................................eJ.......&......GenuineIntel............T.......X.....*f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERF18C.tmp.WERInternalMetadata.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):6368
                                                                                                                                    Entropy (8bit):3.7216010373687767
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:R6l7wVeJFum6fwiYilgJjHyprQ89bkDsfxsm:R6lXJ16fwiY4gJjHikofP
                                                                                                                                    MD5:BA9C6D5F816429E2887153188FEF8CEC
                                                                                                                                    SHA1:16CF897E5B11ECF2C5541C6353B980A40D6A5A45
                                                                                                                                    SHA-256:2F856714ED115C41886F330E9A8A088015683619456877CFBA97047245322E33
                                                                                                                                    SHA-512:825C0C8322060B825D7E6769FD586F6E41372A086F08797F144CA2C821AADD5BDE1BD358C96FCB53C60AE935204FB12D53CF658C110962475B1E42F952278F31
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.1.6.0.<./.P.i.

                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERF1AC.tmp.xml

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4718
                                                                                                                                    Entropy (8bit):4.523888492847346
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:cvIwWl8zsqNJg77aI9VSWpW8VY7Ym8M4JR7tYF6O+q87DvDnlBKlFfd:uIjfqnI77z7VHJ+unPKlZd
                                                                                                                                    MD5:96164ED145EC177D5FADCC6FCE1EAC7F
                                                                                                                                    SHA1:BA28D0FD512229C136933C875234D2FDAA426B0F
                                                                                                                                    SHA-256:7E8CE5BDE813E573100A501EF038CCBF0A629D1911FB74234F219E9A0CEEB97D
                                                                                                                                    SHA-512:B035E80C214DC8CEB3002D8E5F6461079BFEC6C3A589A2ECD0B4198E2F6C32C4505F1D20CE57D43713BEC7DC478E815E69263FCB4DFE8FC9167B75687F66EB2F
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="295778" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                    C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):2270736
                                                                                                                                    Entropy (8bit):7.922698187069996
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:49152:Pwr0j3Y/qI2SgJeK3pJ3uwkeUB+C+26jAaa7V03:PW0j3YSI2SgJeKj3tjUcC+26jAaMa
                                                                                                                                    MD5:6795EFBA98699A0CAE3C4F729B83ACE9
                                                                                                                                    SHA1:A46482DB507CF67307880919B85DC2187D2A2512
                                                                                                                                    SHA-256:026387AA4411DAC1107E403FB44FA90C5A34EC5AB0068AF13E3F8F9F0B0F46CD
                                                                                                                                    SHA-512:12D49B08FEC9DFC8EFCDDD9CFC7BDD3930EBC128F21667DA11FC5AB1B80BA5F153608460275CF4F71695ED9B8B91BDF35261A099314B7EA10B39F000EDA1A101
                                                                                                                                    Malicious:true
                                                                                                                                    Antivirus:
                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                    • Antivirus: ReversingLabs, Detection: 32%
                                                                                                                                    • Antivirus: Virustotal, Detection: 39%, Browse
                                                                                                                                    Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L...^.%f...............'............X.P...........@...........................h......#...@.......................................... ........................h.................................................................@................... ............................ ..` Z{..........................@..@ 0I... ......................@... .....p......................@..@ ..... ...L..................@..B.vm_sec..@.......@...$..............@....idata...............d..............@....tls.................h...................rsrc........ .......j..............@..@.themida. 5.......... ..............`....boot.........P...... ..............`..`.reloc........h.......".

                                                                                                                                    C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):26
                                                                                                                                    Entropy (8bit):3.95006375643621
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                    C:\Users\user\AppData\Local\Temp\1YMX7UxRgh318S1TWXmjgUx.zip

                                                                                                                                    Download File
                                                                                                                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):2771
                                                                                                                                    Entropy (8bit):7.724912083380178
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:9Ta8L8DZI60IvbKzKOVh9yWQzmMFSStz4yd5L3u69j7d1CFTYZm8Qn3KJ6jkFOhz:d8DzbMhQNzFSCz4yd5u6rn88Q3KJw
                                                                                                                                    MD5:8CC6A5739AB545439C2DD0D4BEF562FF
                                                                                                                                    SHA1:E167433FF23B1E4566F5F4CDCB2DD1F4089965B6
                                                                                                                                    SHA-256:24588B1158C0AD2A70E5D09A1B2A4CA5AB0FA985E78EED23F67ECDF6744C729B
                                                                                                                                    SHA-512:9E96BCE5E3E872659ABABA4C726529A159E787AA6931D9EE6B676BC721EB0A05313E8B06B80CE372634327E4078FC4749D66DD3D655199757559565FE1CF564E
                                                                                                                                    Malicious:true
                                                                                                                                    Yara Hits:
                                                                                                                                    • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\1YMX7UxRgh318S1TWXmjgUx.zip, Author: Joe Security
                                                                                                                                    Preview:PK...........X................Cookies\..PK...........X..E.............Cookies\Chrome_Default.txt....P.@.5.....d...`|L2J1l.. .3."_..N.......q..b..=../c.;{.........4F8...0..Y.........Z}Y.g.<w3.f.W(....K.o..l...!*.......y.o;.F..5%.....|0MS.....J.,....../.o...8.H...,M.......;.....I!.z.W....j...e....fE.?.X....6...g...skL.K.85b.U.5...[/.<.h....C..|...C5"{..i.$...'..W).f.O.i..4.....L..Z..t.Z(].2.m.?..<....]........f..I3?.q..8U.6...8.N.y_#Vb...g.k?.Z1.!.3$.....\.%...PK...........X.../W...........information.txtuX[O.F.~...0R_@.x...B.%.M7%d...0.'a.c....U.{....;.BH.7g...u<>..4...>Uy......!a^...{.te...qK.6..>.t(.F....D.63W..$2L....q..@....q....2...EBU.w9.e..B..t.X....3.c..B..Z...........Z...P...........y.x..<..z....aZ.B...~.L/.c&.....L.w..O.-..y..?.t.g...f.l...:}.5..CU.....k....2....).(.=.sO).....{.&t...JuV.~.....m.|i.<.....Y...C..A.%...........2..C.!..g*............Dj...:d..T...S..e.xHw.....Eg..^.F..F.~...r]$o+.."[..|$'..V&!.6[%...|.\j...[[...G....}.@

                                                                                                                                    C:\Users\user\AppData\Local\Temp\HCwgibNvhQ3gDx_DWG1aNau.zip

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                    Category:modified
                                                                                                                                    Size (bytes):2764
                                                                                                                                    Entropy (8bit):7.729288967206039
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:98afL8DZIMof+LW18FT0aFrfsWbKP6ZvUzYxfan3KJ6Uk2OD5w:B8D3L750auEKCdUExfa3KJH
                                                                                                                                    MD5:DF77B676461130A8CCEBA7051302F12C
                                                                                                                                    SHA1:41B82B78AAEFD7C7D76243B59E5FF6A02DAD67FA
                                                                                                                                    SHA-256:762195FA85706A4EA797BB947F7282FDC9FE53B2F0B69221619510A43A2DD637
                                                                                                                                    SHA-512:52502C5C269DDCBA463F1E6A036BC4ED32DF31BCA47BAFD980BAC80287BFB68E4BA1FA1622127C13BFFFCD9EB4FA0236A636A08DB8362AA2E79D5A2FE1B1244C
                                                                                                                                    Malicious:true
                                                                                                                                    Yara Hits:
                                                                                                                                    • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\HCwgibNvhQ3gDx_DWG1aNau.zip, Author: Joe Security
                                                                                                                                    Preview:PK...........X................Cookies\..PK...........X..E.............Cookies\Chrome_Default.txt....P.@.5.....d...`|L2J1l.. .3."_..N.......q..b..=../c.;{.........4F8...0..Y.........Z}Y.g.<w3.f.W(....K.o..l...!*.......y.o;.F..5%.....|0MS.....J.,....../.o...8.H...,M.......;.....I!.z.W....j...e....fE.?.X....6...g...skL.K.85b.U.5...[/.<.h....C..|...C5"{..i.$...'..W).f.O.i..4.....L..Z..t.Z(].2.m.?..<....]........f..I3?.q..8U.6...8.N.y_#Vb...g.k?.Z1.!.3$.....\.%...PK...........X).3.P...........information.txtuX[O.F.~...0R_@.x...B......j..&.$..#..U.{.....R..s.s....6M.$..|8.j....0/.....].1.~..MA.O8..5..~p9.......D.I.0.(......"N.#_P..a.H....nj....q $.)...c.....*....)..p0...y..F.(.<0..E...Bjx^2..5....d2..)..{...?1%x.._..xfg....NNl...m6....:..6..}U...?..._....t>.....|.).qA..zO..f.+9.R.Uz8.v>#.G.*..iy8&# `.$.*.d..0JfEN.vJ.=.L..f[........3.Rrw{y.....f."5..rK..d.M...).t.2a<.;.Iz]....V.`..F..p..</r]$/+..4[..| .7..LB>.l...C.w..@J.mM.....:...Y.....

                                                                                                                                    C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):13
                                                                                                                                    Entropy (8bit):2.6612262562697895
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:LoSRVEXln:MSzEXl
                                                                                                                                    MD5:1718F4856FAEE16D9A94A63833EEAE66
                                                                                                                                    SHA1:1E27481DAE1B52B8A68B62EADE6C42C6702C28CA
                                                                                                                                    SHA-256:4228B03103BAB372EDE19320672098001F3DFC4441161DF9F20DBB115AF3BAD6
                                                                                                                                    SHA-512:76141245D749500B0B4A4B2C1DCD03982F20504504AA886BCE8C62961809353ED0D8F49AC5F946B7D7410C099A80C642E9D8A7036C4F31C5AA8E298DBA0A2806
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:1714074018273

                                                                                                                                    C:\Users\user\AppData\Local\Temp\span68JizlX_sufx\02zdBXl47cvzcookies.sqlite

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):98304
                                                                                                                                    Entropy (8bit):0.08235737944063153
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                    MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                    SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                    SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                    SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\span68JizlX_sufx\3INegG9g_MMlWeb Data

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):196608
                                                                                                                                    Entropy (8bit):1.121297215059106
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                    MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\span68JizlX_sufx\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):5242880
                                                                                                                                    Entropy (8bit):0.03859996294213402
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                                                                    MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                                                                    SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                                                                    SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                                                                    SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\span68JizlX_sufx\97CwebNjFmiiHistory

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):155648
                                                                                                                                    Entropy (8bit):0.5407252242845243
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                    MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                    SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                    SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                    SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\span68JizlX_sufx\9xtv4_r0ULbpHistory

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):155648
                                                                                                                                    Entropy (8bit):0.5407252242845243
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                    MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                    SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                    SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                    SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\span68JizlX_sufx\A0nn51lsZJRNHistory

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):159744
                                                                                                                                    Entropy (8bit):0.5394293526345721
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                                    MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                                    SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                                    SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                                    SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\span68JizlX_sufx\D87fZN3R3jFeplaces.sqlite

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):5242880
                                                                                                                                    Entropy (8bit):0.03859996294213402
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                                                                    MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                                                                    SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                                                                    SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                                                                    SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\span68JizlX_sufx\MQHnFYhPldB3Web Data

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):106496
                                                                                                                                    Entropy (8bit):1.136413900497188
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                    MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\span68JizlX_sufx\NwbTBYLMclw6Web Data

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):106496
                                                                                                                                    Entropy (8bit):1.136413900497188
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                    MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\span68JizlX_sufx\OhQNgUJ0X5NgLogin Data

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):40960
                                                                                                                                    Entropy (8bit):0.8553638852307782
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                    MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\span68JizlX_sufx\XQcivVrU5A5HWeb Data

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):196608
                                                                                                                                    Entropy (8bit):1.121297215059106
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                    MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\span68JizlX_sufx\Y9g_BlDmKPtZWeb Data

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):106496
                                                                                                                                    Entropy (8bit):1.136413900497188
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                    MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\span68JizlX_sufx\gUON0R4KuJ74Cookies

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):20480
                                                                                                                                    Entropy (8bit):0.8439810553697228
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                                                                                                                    MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                                                                                                                    SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                                                                                                                    SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                                                                                                                    SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\span68JizlX_sufx\m3tOv5lvb9V0History

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):159744
                                                                                                                                    Entropy (8bit):0.5394293526345721
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                                    MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                                    SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                                    SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                                    SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\span68JizlX_sufx\sdYAsTf3586cLogin Data

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):51200
                                                                                                                                    Entropy (8bit):0.8746135976761988
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                                                                    MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                                                                    SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                                                                    SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                                                                    SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\span68JizlX_sufx\siP8GPpHPPEwCookies

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):20480
                                                                                                                                    Entropy (8bit):0.6732424250451717
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                                    MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                                    SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                                    SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                                    SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\span68JizlX_sufx\vfVkgJBrrUDWWeb Data

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):196608
                                                                                                                                    Entropy (8bit):1.121297215059106
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                    MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\span68JizlX_sufx\zvXv7gzjmXYkLogin Data For Account

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):40960
                                                                                                                                    Entropy (8bit):0.8553638852307782
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                    MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanFqsK1kll1Gc3\02zdBXl47cvzcookies.sqlite

                                                                                                                                    Download File
                                                                                                                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):98304
                                                                                                                                    Entropy (8bit):0.08235737944063153
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                    MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                    SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                    SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                    SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanFqsK1kll1Gc3\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                    Download File
                                                                                                                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):5242880
                                                                                                                                    Entropy (8bit):0.03859996294213402
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                                                                    MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                                                                    SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                                                                    SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                                                                    SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanFqsK1kll1Gc3\6UYtHiDj5kF4Web Data

                                                                                                                                    Download File
                                                                                                                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):196608
                                                                                                                                    Entropy (8bit):1.121297215059106
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                    MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanFqsK1kll1Gc3\7PzLqHtz21igLogin Data For Account

                                                                                                                                    Download File
                                                                                                                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):40960
                                                                                                                                    Entropy (8bit):0.8553638852307782
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                    MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanFqsK1kll1Gc3\ATGc9MJX9PreWeb Data

                                                                                                                                    Download File
                                                                                                                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):196608
                                                                                                                                    Entropy (8bit):1.121297215059106
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                    MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanFqsK1kll1Gc3\D87fZN3R3jFeplaces.sqlite

                                                                                                                                    Download File
                                                                                                                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):5242880
                                                                                                                                    Entropy (8bit):0.03859996294213402
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                                                                    MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                                                                    SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                                                                    SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                                                                    SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanFqsK1kll1Gc3\FnKWlcBrreY1Web Data

                                                                                                                                    Download File
                                                                                                                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):106496
                                                                                                                                    Entropy (8bit):1.136413900497188
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                    MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanFqsK1kll1Gc3\NMxkTlMy11FaLogin Data

                                                                                                                                    Download File
                                                                                                                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):40960
                                                                                                                                    Entropy (8bit):0.8553638852307782
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                    MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanFqsK1kll1Gc3\PVnzSVZUtU5KHistory

                                                                                                                                    Download File
                                                                                                                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):159744
                                                                                                                                    Entropy (8bit):0.5394293526345721
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                                    MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                                    SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                                    SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                                    SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanFqsK1kll1Gc3\S0Pov5vdwAn3Login Data

                                                                                                                                    Download File
                                                                                                                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):51200
                                                                                                                                    Entropy (8bit):0.8746135976761988
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                                                                    MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                                                                    SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                                                                    SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                                                                    SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanFqsK1kll1Gc3\Tuv7Vpshq2JqHistory

                                                                                                                                    Download File
                                                                                                                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):159744
                                                                                                                                    Entropy (8bit):0.5394293526345721
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                                    MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                                    SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                                    SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                                    SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanFqsK1kll1Gc3\_sFxHwGCbLcsCookies

                                                                                                                                    Download File
                                                                                                                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):20480
                                                                                                                                    Entropy (8bit):0.8439810553697228
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                                                                                                                    MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                                                                                                                    SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                                                                                                                    SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                                                                                                                    SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanFqsK1kll1Gc3\aRmFUB4TfJpPWeb Data

                                                                                                                                    Download File
                                                                                                                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):196608
                                                                                                                                    Entropy (8bit):1.121297215059106
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                    MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanFqsK1kll1Gc3\aVbhqrHeZ9kZHistory

                                                                                                                                    Download File
                                                                                                                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):155648
                                                                                                                                    Entropy (8bit):0.5407252242845243
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                    MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                    SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                    SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                    SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanFqsK1kll1Gc3\nKeiourMZbKyHistory

                                                                                                                                    Download File
                                                                                                                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):155648
                                                                                                                                    Entropy (8bit):0.5407252242845243
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                    MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                    SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                    SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                    SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanFqsK1kll1Gc3\tQzi7j4yFcLSWeb Data

                                                                                                                                    Download File
                                                                                                                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):106496
                                                                                                                                    Entropy (8bit):1.136413900497188
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                    MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanFqsK1kll1Gc3\uRAVepYZlvuOCookies

                                                                                                                                    Download File
                                                                                                                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):20480
                                                                                                                                    Entropy (8bit):0.6732424250451717
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                                    MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                                    SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                                    SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                                    SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\spanFqsK1kll1Gc3\zeSJ9T1kwjwWWeb Data

                                                                                                                                    Download File
                                                                                                                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):106496
                                                                                                                                    Entropy (8bit):1.136413900497188
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                                                    MD5:429F49156428FD53EB06FC82088FD324
                                                                                                                                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                                                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                                                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\trixy68JizlX_sufx\Cookies\Chrome_Default.txt

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:ASCII text, with very long lines (369), with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):530
                                                                                                                                    Entropy (8bit):5.999391385907715
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:12:copYxSlufq7gCx7Fbyr4rOSlTfJJADr6HDsZQZ7gC6:KauS79Gr4iSllJALQZ7c
                                                                                                                                    MD5:06ED2CD304730F55A5C7001509E128BE
                                                                                                                                    SHA1:49651485B2CE3D239172BD52BF5A265AB3EB8E18
                                                                                                                                    SHA-256:66851B5AA77B3DEE71B842F53D4E30F664F5A08F9754B9E87B323871981516A4
                                                                                                                                    SHA-512:0163A8537DE695D34865EEB9C872F15A1827644D8797344A2D36E776F174E5901E77AA560488B0D7D7359B3648614F818B85A7D51F59CCDF2831B5715F5A9334
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:.google.com.FALSE./.TRUE.1699018815.1P_JAR.ENC893*_djEwmUj/dRHWNmfhbTB/w+u3HcpAF49UGcxvovgmz9ye9OQyJO9KCFHkRm8=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*...google.com.TRUE./.TRUE.1712238015.NID.ENC893*_djEwFCqquAx+Q1mLxpuZeEBJZSgzAt4Ngo/HHXcYPxMGINXG0MJzCe/y7m5VzpUyfsA6ingOdNobTvWP/YbKYpzg64nmGlCjRU9RpPIjDAuAxGlp5MTMUaOP4iC8aSCuijjqDE5gAdZQ5Jgb0/uEAZ4ssWGDsxXJbqpGbi04viYfPDhBfQ9XKXznqtHW/weYlNZJIGlKZBsCWoEIKfuL56VHKaBt04gLO/XK1/P3nHsp6pSc1x1uk1RRK7hSYUjCY5G/hcpBBjFv74dICDI=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*..

                                                                                                                                    C:\Users\user\AppData\Local\Temp\trixy68JizlX_sufx\information.txt

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):5133
                                                                                                                                    Entropy (8bit):5.353395535136237
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:xN3JZZRyQc2KBhA6tsxODsB8LOByfagYUfL2yo+yU/maAD5sj5BcawJksEdOSPL4:xvcQX6tsxPdB
                                                                                                                                    MD5:514CAF66911FDF8087E7D095CFD82092
                                                                                                                                    SHA1:D1878DFDF7831A4E7CE73FC55148E59FC307CA1D
                                                                                                                                    SHA-256:85C47FE755066C693F5D64C00BF50D01A23E76CF3DB4A5C09E2C087480E0D4C3
                                                                                                                                    SHA-512:572D365D46B36EDF282071E411AEC0DD7F13B8A466A3C145B6821EE469B6049E13DC22007086556B9C0A07DCC389922EAD599ED13DD4044D4CEDA12F04CDCD3D
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:Build: nikto..Version: 1.9....Date: Thu Apr 25 20:36:06 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 286fe3198427e3eab9a8bb4a842f12d8....Path: C:\Users\user\Desktop\file.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixy68JizlX_sufx....IP: 185.152.66.230..Location: US, Atlanta..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 721680 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 25/4/2024 20:36:6..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [332]..csrss.exe [420]..wininit.exe [496]..csrss.exe [504]..winlogon.exe [564]..services.exe [632]..lsass.exe [640]..svchost.exe [752]..fontdrvhost.exe [780]..fontdrvhost.exe [788].

                                                                                                                                    C:\Users\user\AppData\Local\Temp\trixy68JizlX_sufx\passwords.txt

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Users\user\Desktop\file.exe
                                                                                                                                    File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4897
                                                                                                                                    Entropy (8bit):2.518316437186352
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                    MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                    SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                    SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                    SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\trixyFqsK1kll1Gc3\Cookies\Chrome_Default.txt

                                                                                                                                    Download File
                                                                                                                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    File Type:ASCII text, with very long lines (369), with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):530
                                                                                                                                    Entropy (8bit):5.999391385907715
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:12:copYxSlufq7gCx7Fbyr4rOSlTfJJADr6HDsZQZ7gC6:KauS79Gr4iSllJALQZ7c
                                                                                                                                    MD5:06ED2CD304730F55A5C7001509E128BE
                                                                                                                                    SHA1:49651485B2CE3D239172BD52BF5A265AB3EB8E18
                                                                                                                                    SHA-256:66851B5AA77B3DEE71B842F53D4E30F664F5A08F9754B9E87B323871981516A4
                                                                                                                                    SHA-512:0163A8537DE695D34865EEB9C872F15A1827644D8797344A2D36E776F174E5901E77AA560488B0D7D7359B3648614F818B85A7D51F59CCDF2831B5715F5A9334
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:.google.com.FALSE./.TRUE.1699018815.1P_JAR.ENC893*_djEwmUj/dRHWNmfhbTB/w+u3HcpAF49UGcxvovgmz9ye9OQyJO9KCFHkRm8=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*...google.com.TRUE./.TRUE.1712238015.NID.ENC893*_djEwFCqquAx+Q1mLxpuZeEBJZSgzAt4Ngo/HHXcYPxMGINXG0MJzCe/y7m5VzpUyfsA6ingOdNobTvWP/YbKYpzg64nmGlCjRU9RpPIjDAuAxGlp5MTMUaOP4iC8aSCuijjqDE5gAdZQ5Jgb0/uEAZ4ssWGDsxXJbqpGbi04viYfPDhBfQ9XKXznqtHW/weYlNZJIGlKZBsCWoEIKfuL56VHKaBt04gLO/XK1/P3nHsp6pSc1x1uk1RRK7hSYUjCY5G/hcpBBjFv74dICDI=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*..

                                                                                                                                    C:\Users\user\AppData\Local\Temp\trixyFqsK1kll1Gc3\information.txt

                                                                                                                                    Download File
                                                                                                                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):5138
                                                                                                                                    Entropy (8bit):5.353184521641228
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:xNqHZRyzc2KBhA6tsxODsB8LOByfagYUfL2yo+yU/maAD5sj5BcawJksEdOSPLCU:xmczX6tsxPsB
                                                                                                                                    MD5:2EC2C5CDB45780FF7C0723BA34D346D6
                                                                                                                                    SHA1:A8D27CC072B838184352C48021C05D0EFDB53E8F
                                                                                                                                    SHA-256:47C7F514C0306976C5D660280888435831C3F2EF9D36165BE6E079E9A992BC3A
                                                                                                                                    SHA-512:899F1028F8CC0C710510DCB7FAC6BD3DB3B2AFD59D224141DC388839569B50AB54E452568534747EEED235395773614DA096BA2E93F1C4804F585F88388FEB3C
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:Build: nikto..Version: 1.9....Date: Thu Apr 25 20:36:09 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 286fe3198427e3eab9a8bb4a842f12d8....Path: C:\ProgramData\MPGPH131\MPGPH131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixyFqsK1kll1Gc3....IP: 185.152.66.230..Location: US, Atlanta..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 721680 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 25/4/2024 20:36:9..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [332]..csrss.exe [420]..wininit.exe [496]..csrss.exe [504]..winlogon.exe [564]..services.exe [632]..lsass.exe [640]..svchost.exe [752]..fontdrvhost.exe [780]..fontdrvhost.exe [7

                                                                                                                                    C:\Users\user\AppData\Local\Temp\trixyFqsK1kll1Gc3\passwords.txt

                                                                                                                                    Download File
                                                                                                                                    Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4897
                                                                                                                                    Entropy (8bit):2.518316437186352
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                    MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                    SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                    SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                    SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1835008
                                                                                                                                    Entropy (8bit):4.4250758842935864
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:6144:xSvfpi6ceLP/9skLmb0OTuWSPHaJG8nAgeMZMMhA2fX4WABlEnNp0uhiTw:IvloTuW+EZMM6DFyn03w
                                                                                                                                    MD5:59B0C195483CC249BAC1BF8F9A56531A
                                                                                                                                    SHA1:348AB84CEA116A49195795F4012B5EC5288758D1
                                                                                                                                    SHA-256:A4F7A9ED07744D86C89A5312BAFADF5A99173D41E229B72189E074119699FB5A
                                                                                                                                    SHA-512:47EE7DBD04D42CC999FD01DC8559A183398B80E539D4101C0FC870FEA69EAEBD5D121E712B8803B6EEAF61A0B29AB89D478DBE116E9435EEF037A5BC76241403
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...q?..................................................................................................................................................................................................................................................................................................................................................E........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    Static File Info

                                                                                                                                    General

                                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                    Entropy (8bit):7.922698187069996
                                                                                                                                    TrID:
                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                    File name:file.exe
                                                                                                                                    File size:2'270'736 bytes
                                                                                                                                    MD5:6795efba98699a0cae3c4f729b83ace9
                                                                                                                                    SHA1:a46482db507cf67307880919b85dc2187d2a2512
                                                                                                                                    SHA256:026387aa4411dac1107e403fb44fa90c5a34ec5ab0068af13e3f8f9f0b0f46cd
                                                                                                                                    SHA512:12d49b08fec9dfc8efcddd9cfc7bdd3930ebc128f21667da11fc5ab1b80ba5f153608460275cf4f71695ed9b8b91bdf35261a099314b7ea10b39f000eda1a101
                                                                                                                                    SSDEEP:49152:Pwr0j3Y/qI2SgJeK3pJ3uwkeUB+C+26jAaa7V03:PW0j3YSI2SgJeKj3tjUcC+26jAaMa
                                                                                                                                    TLSH:0CB533EB7DD28805E1F6DA319860C6BB5844BF298D4811E568DF3F6FB63A70D9F04218
                                                                                                                                    File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

                                                                                                                                    File Icon

                                                                                                                                    Icon Hash:4c4d96ec0ce6c600

                                                                                                                                    Static PE Info

                                                                                                                                    General

                                                                                                                                    Entrypoint:0x900058
                                                                                                                                    Entrypoint Section:.boot
                                                                                                                                    Digitally signed:false
                                                                                                                                    Imagebase:0x400000
                                                                                                                                    Subsystem:windows gui
                                                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                    Time Stamp:0x6625EF5E [Mon Apr 22 05:02:22 2024 UTC]
                                                                                                                                    TLS Callbacks:
                                                                                                                                    CLR (.Net) Version:
                                                                                                                                    OS Version Major:6
                                                                                                                                    OS Version Minor:0
                                                                                                                                    File Version Major:6
                                                                                                                                    File Version Minor:0
                                                                                                                                    Subsystem Version Major:6
                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                    Import Hash:63814aaf116ba6abb6496ce4bcad24c6

                                                                                                                                    Entrypoint Preview

                                                                                                                                    Instruction
                                                                                                                                    call 00007F7ACD457300h
                                                                                                                                    push ebx
                                                                                                                                    mov ebx, esp
                                                                                                                                    push ebx
                                                                                                                                    mov esi, dword ptr [ebx+08h]
                                                                                                                                    mov edi, dword ptr [ebx+10h]
                                                                                                                                    cld
                                                                                                                                    mov dl, 80h
                                                                                                                                    mov al, byte ptr [esi]
                                                                                                                                    inc esi
                                                                                                                                    mov byte ptr [edi], al
                                                                                                                                    inc edi
                                                                                                                                    mov ebx, 00000002h
                                                                                                                                    add dl, dl
                                                                                                                                    jne 00007F7ACD4571B7h
                                                                                                                                    mov dl, byte ptr [esi]
                                                                                                                                    inc esi
                                                                                                                                    adc dl, dl
                                                                                                                                    jnc 00007F7ACD45719Ch
                                                                                                                                    add dl, dl
                                                                                                                                    jne 00007F7ACD4571B7h
                                                                                                                                    mov dl, byte ptr [esi]
                                                                                                                                    inc esi
                                                                                                                                    adc dl, dl
                                                                                                                                    jnc 00007F7ACD457203h
                                                                                                                                    xor eax, eax
                                                                                                                                    add dl, dl
                                                                                                                                    jne 00007F7ACD4571B7h
                                                                                                                                    mov dl, byte ptr [esi]
                                                                                                                                    inc esi
                                                                                                                                    adc dl, dl
                                                                                                                                    jnc 00007F7ACD457297h
                                                                                                                                    add dl, dl
                                                                                                                                    jne 00007F7ACD4571B7h
                                                                                                                                    mov dl, byte ptr [esi]
                                                                                                                                    inc esi
                                                                                                                                    adc dl, dl
                                                                                                                                    adc eax, eax
                                                                                                                                    add dl, dl
                                                                                                                                    jne 00007F7ACD4571B7h
                                                                                                                                    mov dl, byte ptr [esi]
                                                                                                                                    inc esi
                                                                                                                                    adc dl, dl
                                                                                                                                    adc eax, eax
                                                                                                                                    add dl, dl
                                                                                                                                    jne 00007F7ACD4571B7h
                                                                                                                                    mov dl, byte ptr [esi]
                                                                                                                                    inc esi
                                                                                                                                    adc dl, dl
                                                                                                                                    adc eax, eax
                                                                                                                                    add dl, dl
                                                                                                                                    jne 00007F7ACD4571B7h
                                                                                                                                    mov dl, byte ptr [esi]
                                                                                                                                    inc esi
                                                                                                                                    adc dl, dl
                                                                                                                                    adc eax, eax
                                                                                                                                    je 00007F7ACD4571BAh
                                                                                                                                    push edi
                                                                                                                                    mov eax, eax
                                                                                                                                    sub edi, eax
                                                                                                                                    mov al, byte ptr [edi]
                                                                                                                                    pop edi
                                                                                                                                    mov byte ptr [edi], al
                                                                                                                                    inc edi
                                                                                                                                    mov ebx, 00000002h
                                                                                                                                    jmp 00007F7ACD45714Bh
                                                                                                                                    mov eax, 00000001h
                                                                                                                                    add dl, dl
                                                                                                                                    jne 00007F7ACD4571B7h
                                                                                                                                    mov dl, byte ptr [esi]
                                                                                                                                    inc esi
                                                                                                                                    adc dl, dl
                                                                                                                                    adc eax, eax
                                                                                                                                    add dl, dl
                                                                                                                                    jne 00007F7ACD4571B7h
                                                                                                                                    mov dl, byte ptr [esi]
                                                                                                                                    inc esi
                                                                                                                                    adc dl, dl
                                                                                                                                    jc 00007F7ACD45719Ch
                                                                                                                                    sub eax, ebx
                                                                                                                                    mov ebx, 00000001h
                                                                                                                                    jne 00007F7ACD4571DAh
                                                                                                                                    mov ecx, 00000001h
                                                                                                                                    add dl, dl
                                                                                                                                    jne 00007F7ACD4571B7h
                                                                                                                                    mov dl, byte ptr [esi]
                                                                                                                                    inc esi
                                                                                                                                    adc dl, dl
                                                                                                                                    adc ecx, ecx
                                                                                                                                    add dl, dl
                                                                                                                                    jne 00007F7ACD4571B7h
                                                                                                                                    mov dl, byte ptr [esi]
                                                                                                                                    inc esi
                                                                                                                                    adc dl, dl
                                                                                                                                    jc 00007F7ACD45719Ch
                                                                                                                                    push esi
                                                                                                                                    mov esi, edi
                                                                                                                                    sub esi, ebp

                                                                                                                                    Data Directories

                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1a018b0x184.idata
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a20000xb5ac.rsrc
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x6890000x10.reloc
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x1a10180x18.tls
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x1803c40x40
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                    Sections

                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                    0x10000x158af80x7f40043b587287b301430520c781e175e9beaFalse0.999460876105108data7.999486852289058IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                    0x15a0000x27b5a0xc600b02e27ba8a0a62e156f99ba3cb070840False0.9960345643939394data7.991658316031979IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                    0x1820000x49300x800b16b287aa636bb2b4166cf7b1bd25fddFalse0.90087890625data7.38511843248747IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                    0x1870000xafa00x1200467cb5bda040e0a48312fe4e7d92180eFalse1.0023871527777777data7.957783824322694IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                    0x1920000x97000x4c00e3f14cdb1bf1fe57ec354f844e79f7adFalse0.9898745888157895data7.977428095826993IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                    .vm_sec0x19c0000x40000x40002574ee3be1d21a55cc02ed7334d12e05False0.165283203125data2.916830760368123IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                    .idata0x1a00000x10000x4004b59baa1deb5678c423b5222ad87c2b8False0.400390625data3.337049343901853IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                    .tls0x1a10000x10000x200b6901c91578d4b57eb40e738bb0d9b8eFalse0.056640625data0.18120187678200297IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                    .rsrc0x1a20000xb6000xb60027507467f3af30f8a547dc012d3000e7False0.12386246565934066data2.4019871224080975IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                    .themida0x1ae0000x3520000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                    .boot0x5000000x1886000x188600a4deabf04d831d68681bbad12d800249False0.9836040787273017data7.949192596228493IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                    .reloc0x6890000x10000x1099df941ae8b9cb04221a0de4a710f9a9False1.5GLS_BINARY_LSB_FIRST2.349601752714581IMAGE_SCN_MEM_READ

                                                                                                                                    Resources

                                                                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                    RT_ICON0x1a21e00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024RussianRussia0.1320921985815603
                                                                                                                                    RT_ICON0x1a26580x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1600RussianRussia0.10465116279069768
                                                                                                                                    RT_ICON0x1a2d200x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304RussianRussia0.08770491803278689
                                                                                                                                    RT_ICON0x1a36b80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096RussianRussia0.05722326454033771
                                                                                                                                    RT_ICON0x1a47700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216RussianRussia0.03475103734439834
                                                                                                                                    RT_ICON0x1a6d280x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384RussianRussia0.02509447331128956
                                                                                                                                    RT_ICON0x1aaf600x1aaePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedRussianRussia0.39780380673499266
                                                                                                                                    RT_GROUP_ICON0x1aca200x68dataRussianRussia0.7596153846153846
                                                                                                                                    RT_VERSION0x1aca980x398OpenPGP Public KeyRussianRussia0.42282608695652174
                                                                                                                                    RT_MANIFEST0x1ace400x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727
                                                                                                                                    RT_MANIFEST0x1acfd00x5d7XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.43478260869565216

                                                                                                                                    Imports

                                                                                                                                    DLLImport
                                                                                                                                    kernel32.dllGetModuleHandleA
                                                                                                                                    USER32.dllwsprintfA
                                                                                                                                    GDI32.dllCreateCompatibleBitmap
                                                                                                                                    ADVAPI32.dllRegQueryValueExA
                                                                                                                                    SHELL32.dllShellExecuteA
                                                                                                                                    ole32.dllCoInitialize
                                                                                                                                    WS2_32.dllWSAStartup
                                                                                                                                    CRYPT32.dllCryptUnprotectData
                                                                                                                                    SHLWAPI.dllPathFindExtensionA
                                                                                                                                    gdiplus.dllGdipGetImageEncoders
                                                                                                                                    SETUPAPI.dllSetupDiEnumDeviceInfo
                                                                                                                                    ntdll.dllRtlUnicodeStringToAnsiString
                                                                                                                                    RstrtMgr.DLLRmStartSession

                                                                                                                                    Possible Origin

                                                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                                                    RussianRussia
                                                                                                                                    EnglishUnited States

                                                                                                                                    Network Behavior

                                                                                                                                    Snort IDS Alerts

                                                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                    04/25/24-20:36:02.824956TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949708147.45.47.93192.168.2.5
                                                                                                                                    04/25/24-20:36:09.524020TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4970858709192.168.2.5147.45.47.93
                                                                                                                                    04/25/24-20:36:02.835774TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949709147.45.47.93192.168.2.5
                                                                                                                                    04/25/24-20:36:20.853335TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949724147.45.47.93192.168.2.5
                                                                                                                                    04/25/24-20:36:03.375523TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949708147.45.47.93192.168.2.5
                                                                                                                                    04/25/24-20:36:03.390482TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949709147.45.47.93192.168.2.5
                                                                                                                                    04/25/24-20:36:00.328630TCP2049060ET TROJAN RisePro TCP Heartbeat Packet4970558709192.168.2.5147.45.47.93
                                                                                                                                    04/25/24-20:36:23.977267TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4972458709192.168.2.5147.45.47.93
                                                                                                                                    04/25/24-20:36:00.782969TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949705147.45.47.93192.168.2.5
                                                                                                                                    04/25/24-20:36:00.533633TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949705147.45.47.93192.168.2.5
                                                                                                                                    04/25/24-20:36:14.063364TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4971458709192.168.2.5147.45.47.93
                                                                                                                                    04/25/24-20:36:07.671962TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4970558709192.168.2.5147.45.47.93
                                                                                                                                    04/25/24-20:36:10.545583TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949714147.45.47.93192.168.2.5

                                                                                                                                    Network Port Distribution

                                                                                                                                    TCP Packets

                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                    Apr 25, 2024 20:36:00.078001022 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:00.306992054 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:00.307205915 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:00.328629971 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:00.533632994 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:00.554939985 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:00.555064917 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:00.649142981 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:00.782968998 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:00.836429119 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:00.927450895 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:01.050957918 CEST49706443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:01.050997972 CEST4434970634.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:01.051075935 CEST49706443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:01.053288937 CEST49706443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:01.053308010 CEST4434970634.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:01.291311979 CEST4434970634.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:01.291388035 CEST49706443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:01.294595957 CEST49706443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:01.294606924 CEST4434970634.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:01.295005083 CEST4434970634.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:01.336431980 CEST49706443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:01.421506882 CEST49706443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:01.468122005 CEST4434970634.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:01.561785936 CEST4434970634.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:01.561942101 CEST4434970634.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:01.562011003 CEST49706443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:01.564281940 CEST49706443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:01.564301968 CEST4434970634.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:01.564316988 CEST49706443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:01.564323902 CEST4434970634.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:01.703481913 CEST49707443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:01.703537941 CEST44349707104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:01.703632116 CEST49707443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:01.704188108 CEST49707443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:01.704205036 CEST44349707104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:01.942240000 CEST44349707104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:01.942320108 CEST49707443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:01.946517944 CEST49707443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:01.946523905 CEST44349707104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:01.946932077 CEST44349707104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:01.951870918 CEST49707443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:01.996114969 CEST44349707104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:02.368273020 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:02.376425028 CEST4970958709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:02.406610966 CEST44349707104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:02.406707048 CEST44349707104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:02.406759977 CEST49707443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:02.408288002 CEST49707443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:02.408302069 CEST44349707104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:02.408315897 CEST49707443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:02.408320904 CEST44349707104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:02.408885956 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:02.596303940 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:02.596411943 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:02.601218939 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:02.601371050 CEST4970958709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:02.609586000 CEST4970958709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:02.609661102 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:02.664052963 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:02.711426973 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:02.742897987 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:02.824955940 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:02.835773945 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:02.867749929 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:02.882213116 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:02.883299112 CEST4970958709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:03.021505117 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.322748899 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.367672920 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:03.375523090 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.390481949 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.399210930 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:03.430171967 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:03.445826054 CEST4970958709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:03.508771896 CEST49710443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:03.508805037 CEST4434971034.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.508904934 CEST49710443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:03.510092020 CEST49710443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:03.510107040 CEST4434971034.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.513906956 CEST49711443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:03.513951063 CEST4434971134.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.514023066 CEST49711443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:03.515170097 CEST49711443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:03.515189886 CEST4434971134.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.637006998 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.637046099 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.637103081 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:03.637115955 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.637135029 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.637178898 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:03.637181997 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.637449026 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.637495041 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:03.637516022 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.637587070 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.637608051 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.637630939 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:03.637667894 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.637710094 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:03.658128023 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.661705971 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:03.670571089 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.670723915 CEST4970958709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:03.736567974 CEST4434971034.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.736700058 CEST49710443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:03.738046885 CEST49710443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:03.738056898 CEST4434971034.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.738292933 CEST4434971034.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.750454903 CEST4434971134.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.750546932 CEST49711443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:03.751625061 CEST49711443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:03.751638889 CEST4434971134.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.752737999 CEST4434971134.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.785183907 CEST49710443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:03.802644968 CEST49711443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:03.828160048 CEST4434971034.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.844115019 CEST4434971134.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.863456964 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.863492966 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.863519907 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.863542080 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.863555908 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:03.863584995 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:03.863593102 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.863611937 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.863662004 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:03.945045948 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.945070028 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.945925951 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:03.987298012 CEST4434971034.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.987426043 CEST4434971034.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.987482071 CEST49710443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:03.988162041 CEST49710443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:03.988183022 CEST4434971034.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.988197088 CEST49710443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:03.988203049 CEST4434971034.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.990674973 CEST49712443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:03.990699053 CEST44349712104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.990758896 CEST49712443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:03.991092920 CEST49712443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:03.991106987 CEST44349712104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.998975992 CEST4434971134.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.999279022 CEST4434971134.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.999351025 CEST49711443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:03.999468088 CEST49711443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:03.999486923 CEST4434971134.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:03.999496937 CEST49711443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:03.999501944 CEST4434971134.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:04.000864029 CEST49713443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:04.000881910 CEST44349713104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:04.000945091 CEST49713443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:04.001182079 CEST49713443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:04.001197100 CEST44349713104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:04.182702065 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:04.223408937 CEST44349712104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:04.223561049 CEST49712443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:04.224874020 CEST49712443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:04.224883080 CEST44349712104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:04.225130081 CEST44349712104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:04.230415106 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:04.230421066 CEST49712443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:04.236896038 CEST44349713104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:04.236980915 CEST49713443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:04.239258051 CEST49713443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:04.239269972 CEST44349713104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:04.239622116 CEST44349713104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:04.240823030 CEST49713443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:04.274034023 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:04.276112080 CEST44349712104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:04.288115025 CEST44349713104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:04.511212111 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:04.548587084 CEST44349712104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:04.548691988 CEST44349712104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:04.548744917 CEST49712443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:04.548953056 CEST49712443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:04.548975945 CEST44349712104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:04.548986912 CEST49712443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:04.549001932 CEST44349712104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:04.549288034 CEST4970958709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:04.555161953 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:04.586124897 CEST44349713104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:04.586237907 CEST44349713104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:04.586288929 CEST49713443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:04.586683035 CEST49713443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:04.586699963 CEST44349713104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:04.586724997 CEST49713443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:04.586730957 CEST44349713104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:04.587116003 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:04.796860933 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:04.842591047 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:04.852040052 CEST4970958709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:04.884139061 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:04.915491104 CEST4970958709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:04.954890966 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:05.153672934 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.195789099 CEST4970958709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:05.215253115 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.247204065 CEST4970958709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:05.258291960 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:05.292995930 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:05.483959913 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.483982086 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.484044075 CEST4970958709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:05.484080076 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.484136105 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.484237909 CEST4970958709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:05.484286070 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.484306097 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.484383106 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.484427929 CEST4970958709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:05.484447956 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.484466076 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.484504938 CEST4970958709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:05.484513998 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.484553099 CEST4970958709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:05.545890093 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.545974970 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.546010971 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.546036005 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:05.546066046 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.546078920 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.546103001 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:05.546156883 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.546169043 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.546180964 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.546206951 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:05.546245098 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.546246052 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:05.546260118 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.546308994 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:05.709199905 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.709213018 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.709227085 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.709239960 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.709254026 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.709266901 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.709291935 CEST4970958709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:05.709322929 CEST4970958709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:05.773956060 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.774056911 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.774090052 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.774127007 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.774144888 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:05.774169922 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:05.774182081 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.774194002 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:05.774274111 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:05.808595896 CEST4970958709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:05.836570024 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:06.043225050 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:06.086410999 CEST4970958709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:06.105820894 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:06.133383989 CEST4970958709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:06.148920059 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:06.164877892 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:06.372294903 CEST5870949709147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:06.403903008 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:06.414544106 CEST4970958709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:06.445777893 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:07.671962023 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:07.974524975 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:08.100202084 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:08.100235939 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:08.326900005 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:08.326955080 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:08.327013016 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:08.599479914 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:08.624809027 CEST4970958709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:09.524019957 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:09.804445028 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:10.098737955 CEST4971458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:10.315531969 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:10.315589905 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:10.321965933 CEST5870949714147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:10.322392941 CEST4971458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:10.343131065 CEST4971458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:10.543984890 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:10.544009924 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:10.544044018 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:10.545583010 CEST5870949714147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:10.586410046 CEST4971458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:10.615001917 CEST5870949714147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:10.819722891 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:11.133434057 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:11.359956980 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:13.368256092 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:13.596198082 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:14.063364029 CEST4971458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:14.333990097 CEST5870949714147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:19.617116928 CEST5870949705147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:19.617194891 CEST4970558709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:20.400310040 CEST4972458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:20.626588106 CEST5870949724147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:20.626701117 CEST4972458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:20.640117884 CEST4972458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:20.853334904 CEST5870949724147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:20.899060011 CEST4972458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:20.911683083 CEST5870949724147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:23.011003971 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:23.011061907 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:23.133632898 CEST5870949708147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:23.133735895 CEST4970858709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:23.977267027 CEST4972458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:24.255609989 CEST5870949724147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:32.031378031 CEST5870949714147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:32.086445093 CEST4971458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:32.309813976 CEST5870949714147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:32.352051973 CEST4971458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:33.020271063 CEST49735443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:33.020318031 CEST4434973534.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:33.020394087 CEST49735443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:33.021594048 CEST49735443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:33.021609068 CEST4434973534.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:33.149137020 CEST4971458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:33.250822067 CEST4434973534.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:33.250899076 CEST49735443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:33.252784014 CEST49735443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:33.252790928 CEST4434973534.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:33.253041029 CEST4434973534.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:33.301430941 CEST49735443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:33.344161987 CEST4434973534.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:33.427632093 CEST5870949714147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:33.503434896 CEST4434973534.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:33.503537893 CEST4434973534.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:33.503597975 CEST49735443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:33.503887892 CEST49735443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:33.503887892 CEST49735443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:33.503916979 CEST4434973534.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:33.503928900 CEST4434973534.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:33.506259918 CEST49736443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:33.506299973 CEST44349736104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:33.506391048 CEST49736443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:33.506721973 CEST49736443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:33.506742954 CEST44349736104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:33.735018969 CEST44349736104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:33.735169888 CEST49736443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:33.736881018 CEST49736443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:33.736903906 CEST44349736104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:33.737163067 CEST44349736104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:33.738483906 CEST49736443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:33.780160904 CEST44349736104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:34.072405100 CEST44349736104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:34.072514057 CEST44349736104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:34.072573900 CEST49736443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:34.072767019 CEST49736443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:34.072778940 CEST44349736104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:34.072791100 CEST49736443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:34.072796106 CEST44349736104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:34.073260069 CEST4971458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:34.349582911 CEST5870949714147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:34.351351023 CEST5870949714147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:34.398960114 CEST4971458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:34.399425983 CEST4971458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:34.677582026 CEST5870949714147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:35.009840012 CEST5870949714147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:35.055326939 CEST4971458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:38.070862055 CEST4971458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:38.293956041 CEST5870949714147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:38.302947998 CEST5870949714147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:38.303045034 CEST4971458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:39.747035027 CEST5870949724147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:39.789572001 CEST4972458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:40.015747070 CEST5870949724147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:40.070833921 CEST4972458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:40.128494024 CEST49737443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:40.128595114 CEST4434973734.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:40.128699064 CEST49737443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:40.129731894 CEST49737443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:40.129770994 CEST4434973734.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:40.297020912 CEST5870949724147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:40.297350883 CEST4972458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:40.355536938 CEST4434973734.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:40.355680943 CEST49737443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:40.357078075 CEST49737443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:40.357093096 CEST4434973734.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:40.357337952 CEST4434973734.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:40.398953915 CEST49737443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:40.404908895 CEST49737443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:40.452116966 CEST4434973734.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:40.568298101 CEST5870949724147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:40.608711004 CEST4434973734.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:40.608927965 CEST4434973734.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:40.609031916 CEST49737443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:40.613902092 CEST49737443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:40.613902092 CEST49737443192.168.2.534.117.186.192
                                                                                                                                    Apr 25, 2024 20:36:40.613945961 CEST4434973734.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:40.613972902 CEST4434973734.117.186.192192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:40.622412920 CEST49738443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:40.622458935 CEST44349738104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:40.622522116 CEST49738443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:40.622879982 CEST49738443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:40.622898102 CEST44349738104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:40.855262041 CEST44349738104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:40.855391979 CEST49738443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:40.856669903 CEST49738443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:40.856698036 CEST44349738104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:40.856951952 CEST44349738104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:40.858151913 CEST49738443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:40.900124073 CEST44349738104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:41.176826000 CEST44349738104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:41.176948071 CEST44349738104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:41.177133083 CEST49738443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:41.177594900 CEST49738443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:41.177639961 CEST44349738104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:41.177666903 CEST49738443192.168.2.5104.26.5.15
                                                                                                                                    Apr 25, 2024 20:36:41.177674055 CEST44349738104.26.5.15192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:41.178153992 CEST4972458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:41.458643913 CEST5870949724147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:42.054054976 CEST5870949724147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:42.055356026 CEST4972458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:42.333805084 CEST5870949724147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:45.040415049 CEST5870949724147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:45.086431980 CEST4972458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:48.163853884 CEST4972458709192.168.2.5147.45.47.93
                                                                                                                                    Apr 25, 2024 20:36:48.390183926 CEST5870949724147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:48.396677971 CEST5870949724147.45.47.93192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:48.396748066 CEST4972458709192.168.2.5147.45.47.93

                                                                                                                                    UDP Packets

                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                    Apr 25, 2024 20:36:00.932415962 CEST4934953192.168.2.51.1.1.1
                                                                                                                                    Apr 25, 2024 20:36:01.042365074 CEST53493491.1.1.1192.168.2.5
                                                                                                                                    Apr 25, 2024 20:36:01.587227106 CEST6144753192.168.2.51.1.1.1
                                                                                                                                    Apr 25, 2024 20:36:01.698996067 CEST53614471.1.1.1192.168.2.5

                                                                                                                                    DNS Queries

                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                    Apr 25, 2024 20:36:00.932415962 CEST192.168.2.51.1.1.10x80b6Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                                                                                                                    Apr 25, 2024 20:36:01.587227106 CEST192.168.2.51.1.1.10x9515Standard query (0)db-ip.comA (IP address)IN (0x0001)false

                                                                                                                                    DNS Answers

                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                    Apr 25, 2024 20:36:01.042365074 CEST1.1.1.1192.168.2.50x80b6No error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false
                                                                                                                                    Apr 25, 2024 20:36:01.698996067 CEST1.1.1.1192.168.2.50x9515No error (0)db-ip.com104.26.5.15A (IP address)IN (0x0001)false
                                                                                                                                    Apr 25, 2024 20:36:01.698996067 CEST1.1.1.1192.168.2.50x9515No error (0)db-ip.com104.26.4.15A (IP address)IN (0x0001)false
                                                                                                                                    Apr 25, 2024 20:36:01.698996067 CEST1.1.1.1192.168.2.50x9515No error (0)db-ip.com172.67.75.166A (IP address)IN (0x0001)false

                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                    • https:
                                                                                                                                      • ipinfo.io
                                                                                                                                    • db-ip.com

                                                                                                                                    HTTPS Proxied Packets

                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    0192.168.2.54970634.117.186.1924435688C:\Users\user\Desktop\file.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-04-25 18:36:01 UTC239OUTGET /widget/demo/185.152.66.230 HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Referer: https://ipinfo.io/
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                                                                    Host: ipinfo.io
                                                                                                                                    2024-04-25 18:36:01 UTC514INHTTP/1.1 200 OK
                                                                                                                                    server: nginx/1.24.0
                                                                                                                                    date: Thu, 25 Apr 2024 18:36:01 GMT
                                                                                                                                    content-type: application/json; charset=utf-8
                                                                                                                                    Content-Length: 1052
                                                                                                                                    access-control-allow-origin: *
                                                                                                                                    x-frame-options: SAMEORIGIN
                                                                                                                                    x-xss-protection: 1; mode=block
                                                                                                                                    x-content-type-options: nosniff
                                                                                                                                    referrer-policy: strict-origin-when-cross-origin
                                                                                                                                    x-envoy-upstream-service-time: 1
                                                                                                                                    via: 1.1 google
                                                                                                                                    strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                    Connection: close
                                                                                                                                    2024-04-25 18:36:01 UTC741INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 38 35 2e 31 35 32 2e 36 36 2e 32 33 30 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 38 35 2e 31 35 32 2e 36 36 2e 32 33 30 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 75 6e 6e 2d 31 38 35 2d 31 35 32 2d 36 36 2d 32 33 30 2e 64 61 74 61 70 61 63 6b 65 74 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 36 30 30 36 38 20 44 61 74 61 63 61 6d 70 20 4c 69
                                                                                                                                    Data Ascii: { "input": "185.152.66.230", "data": { "ip": "185.152.66.230", "hostname": "unn-185-152-66-230.datapacket.com", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS60068 Datacamp Li
                                                                                                                                    2024-04-25 18:36:01 UTC311INData Raw: 3a 20 22 43 79 62 65 72 47 68 6f 73 74 22 0a 20 20 20 20 7d 2c 0a 20 20 20 20 22 61 62 75 73 65 22 3a 20 7b 0a 20 20 20 20 20 20 22 61 64 64 72 65 73 73 22 3a 20 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 2c 20 5a 64 65 6e 65 6b 20 43 65 6e 64 72 61 2c 20 32 30 37 20 52 65 67 65 6e 74 20 53 74 72 65 65 74 2c 20 57 31 42 20 33 48 48 2c 20 4c 6f 6e 64 6f 6e 2c 20 55 4e 49 54 45 44 20 4b 49 4e 47 44 4f 4d 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 64 61 74 61 63 61 6d 70 2e 63 6f 2e 75 6b 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 43 6f 6e 74 61 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 38 35
                                                                                                                                    Data Ascii: : "CyberGhost" }, "abuse": { "address": "Datacamp Limited, Zdenek Cendra, 207 Regent Street, W1B 3HH, London, UNITED KINGDOM", "country": "US", "email": "abuse@datacamp.co.uk", "name": "Abuse Contact", "network": "185


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    1192.168.2.549707104.26.5.154435688C:\Users\user\Desktop\file.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-04-25 18:36:01 UTC263OUTGET /demo/home.php?s=185.152.66.230 HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                                                                    Host: db-ip.com
                                                                                                                                    2024-04-25 18:36:02 UTC664INHTTP/1.1 200 OK
                                                                                                                                    Date: Thu, 25 Apr 2024 18:36:02 GMT
                                                                                                                                    Content-Type: application/json
                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                    Connection: close
                                                                                                                                    x-iplb-request-id: AC45460E:F270_93878F2E:0050_662AA292_9DF5401:4F34
                                                                                                                                    x-iplb-instance: 59215
                                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wilj9%2FVC%2FNPeDlvx0SbO%2FYDYSWUyeKhnera62KZAuDTHvE8qy4Wrb%2BUN6f8EFF%2B24iiDoaepWyuA%2B85uk5PRXbPX82fpJa1FwzOqwIyw4WNzwb5BCh%2ByyD%2FJfA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                    Server: cloudflare
                                                                                                                                    CF-RAY: 87a06fb15e7344dd-ATL
                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                    2024-04-25 18:36:02 UTC675INData Raw: 32 39 63 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 31 38 35 2e 31 35 32 2e 36 36 2e 32 33 30 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73
                                                                                                                                    Data Ascii: 29c{"status":"ok","demoInfo":{"ipAddress":"185.152.66.230","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages
                                                                                                                                    2024-04-25 18:36:02 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                    Data Ascii: 0


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    2192.168.2.54971034.117.186.1924431896C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-04-25 18:36:03 UTC239OUTGET /widget/demo/185.152.66.230 HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Referer: https://ipinfo.io/
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                                                                    Host: ipinfo.io
                                                                                                                                    2024-04-25 18:36:03 UTC514INHTTP/1.1 200 OK
                                                                                                                                    server: nginx/1.24.0
                                                                                                                                    date: Thu, 25 Apr 2024 18:36:03 GMT
                                                                                                                                    content-type: application/json; charset=utf-8
                                                                                                                                    Content-Length: 1052
                                                                                                                                    access-control-allow-origin: *
                                                                                                                                    x-frame-options: SAMEORIGIN
                                                                                                                                    x-xss-protection: 1; mode=block
                                                                                                                                    x-content-type-options: nosniff
                                                                                                                                    referrer-policy: strict-origin-when-cross-origin
                                                                                                                                    x-envoy-upstream-service-time: 2
                                                                                                                                    via: 1.1 google
                                                                                                                                    strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                    Connection: close
                                                                                                                                    2024-04-25 18:36:03 UTC741INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 38 35 2e 31 35 32 2e 36 36 2e 32 33 30 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 38 35 2e 31 35 32 2e 36 36 2e 32 33 30 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 75 6e 6e 2d 31 38 35 2d 31 35 32 2d 36 36 2d 32 33 30 2e 64 61 74 61 70 61 63 6b 65 74 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 36 30 30 36 38 20 44 61 74 61 63 61 6d 70 20 4c 69
                                                                                                                                    Data Ascii: { "input": "185.152.66.230", "data": { "ip": "185.152.66.230", "hostname": "unn-185-152-66-230.datapacket.com", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS60068 Datacamp Li
                                                                                                                                    2024-04-25 18:36:03 UTC311INData Raw: 3a 20 22 43 79 62 65 72 47 68 6f 73 74 22 0a 20 20 20 20 7d 2c 0a 20 20 20 20 22 61 62 75 73 65 22 3a 20 7b 0a 20 20 20 20 20 20 22 61 64 64 72 65 73 73 22 3a 20 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 2c 20 5a 64 65 6e 65 6b 20 43 65 6e 64 72 61 2c 20 32 30 37 20 52 65 67 65 6e 74 20 53 74 72 65 65 74 2c 20 57 31 42 20 33 48 48 2c 20 4c 6f 6e 64 6f 6e 2c 20 55 4e 49 54 45 44 20 4b 49 4e 47 44 4f 4d 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 64 61 74 61 63 61 6d 70 2e 63 6f 2e 75 6b 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 43 6f 6e 74 61 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 38 35
                                                                                                                                    Data Ascii: : "CyberGhost" }, "abuse": { "address": "Datacamp Limited, Zdenek Cendra, 207 Regent Street, W1B 3HH, London, UNITED KINGDOM", "country": "US", "email": "abuse@datacamp.co.uk", "name": "Abuse Contact", "network": "185


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    3192.168.2.54971134.117.186.1924433160C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-04-25 18:36:03 UTC239OUTGET /widget/demo/185.152.66.230 HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Referer: https://ipinfo.io/
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                                                                    Host: ipinfo.io
                                                                                                                                    2024-04-25 18:36:03 UTC514INHTTP/1.1 200 OK
                                                                                                                                    server: nginx/1.24.0
                                                                                                                                    date: Thu, 25 Apr 2024 18:36:03 GMT
                                                                                                                                    content-type: application/json; charset=utf-8
                                                                                                                                    Content-Length: 1052
                                                                                                                                    access-control-allow-origin: *
                                                                                                                                    x-frame-options: SAMEORIGIN
                                                                                                                                    x-xss-protection: 1; mode=block
                                                                                                                                    x-content-type-options: nosniff
                                                                                                                                    referrer-policy: strict-origin-when-cross-origin
                                                                                                                                    x-envoy-upstream-service-time: 2
                                                                                                                                    via: 1.1 google
                                                                                                                                    strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                    Connection: close
                                                                                                                                    2024-04-25 18:36:03 UTC741INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 38 35 2e 31 35 32 2e 36 36 2e 32 33 30 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 38 35 2e 31 35 32 2e 36 36 2e 32 33 30 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 75 6e 6e 2d 31 38 35 2d 31 35 32 2d 36 36 2d 32 33 30 2e 64 61 74 61 70 61 63 6b 65 74 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 36 30 30 36 38 20 44 61 74 61 63 61 6d 70 20 4c 69
                                                                                                                                    Data Ascii: { "input": "185.152.66.230", "data": { "ip": "185.152.66.230", "hostname": "unn-185-152-66-230.datapacket.com", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS60068 Datacamp Li
                                                                                                                                    2024-04-25 18:36:03 UTC311INData Raw: 3a 20 22 43 79 62 65 72 47 68 6f 73 74 22 0a 20 20 20 20 7d 2c 0a 20 20 20 20 22 61 62 75 73 65 22 3a 20 7b 0a 20 20 20 20 20 20 22 61 64 64 72 65 73 73 22 3a 20 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 2c 20 5a 64 65 6e 65 6b 20 43 65 6e 64 72 61 2c 20 32 30 37 20 52 65 67 65 6e 74 20 53 74 72 65 65 74 2c 20 57 31 42 20 33 48 48 2c 20 4c 6f 6e 64 6f 6e 2c 20 55 4e 49 54 45 44 20 4b 49 4e 47 44 4f 4d 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 64 61 74 61 63 61 6d 70 2e 63 6f 2e 75 6b 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 43 6f 6e 74 61 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 38 35
                                                                                                                                    Data Ascii: : "CyberGhost" }, "abuse": { "address": "Datacamp Limited, Zdenek Cendra, 207 Regent Street, W1B 3HH, London, UNITED KINGDOM", "country": "US", "email": "abuse@datacamp.co.uk", "name": "Abuse Contact", "network": "185


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    4192.168.2.549712104.26.5.154431896C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-04-25 18:36:04 UTC263OUTGET /demo/home.php?s=185.152.66.230 HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                                                                    Host: db-ip.com
                                                                                                                                    2024-04-25 18:36:04 UTC654INHTTP/1.1 200 OK
                                                                                                                                    Date: Thu, 25 Apr 2024 18:36:04 GMT
                                                                                                                                    Content-Type: application/json
                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                    Connection: close
                                                                                                                                    x-iplb-request-id: AC4547DA:93BC_93878F2E:0050_662AA294_9DC9D97:7B63
                                                                                                                                    x-iplb-instance: 59128
                                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=20yVzj%2FDc4%2BSi9n0FwsW5b1dsNSvaWO80Yj9meqddJTF2lVd4HFNL54STrwcgXz7jcidJmiMA6dhv3ExNUBUZ%2FR9fXffzgCV6R1eucIFKeIlVLfGqXlrnuij9w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                    Server: cloudflare
                                                                                                                                    CF-RAY: 87a06fbfaa064529-ATL
                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                    2024-04-25 18:36:04 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                                                                    Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                                                                    2024-04-25 18:36:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                    Data Ascii: 0


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    5192.168.2.549713104.26.5.154433160C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-04-25 18:36:04 UTC263OUTGET /demo/home.php?s=185.152.66.230 HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                                                                    Host: db-ip.com
                                                                                                                                    2024-04-25 18:36:04 UTC656INHTTP/1.1 200 OK
                                                                                                                                    Date: Thu, 25 Apr 2024 18:36:04 GMT
                                                                                                                                    Content-Type: application/json
                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                    Connection: close
                                                                                                                                    x-iplb-request-id: AC454745:D82C_93878F2E:0050_662AA294_9DF5439:4F34
                                                                                                                                    x-iplb-instance: 59215
                                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XOz1YHa990aI6n9F6i2N%2FqPH2aVZfg9ZRJR5rVbmous%2BJLRLFbbMuU7XPJoeJ66X8JOeNzCj64EDJNiQCrlOt1Z4W0us46%2F2r4O3MTiBjkh%2FiMmW8zhK13dR1A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                    Server: cloudflare
                                                                                                                                    CF-RAY: 87a06fbfbccf676a-ATL
                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                    2024-04-25 18:36:04 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                                                                    Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                                                                    2024-04-25 18:36:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                    Data Ascii: 0


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    6192.168.2.54973534.117.186.1924436984C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-04-25 18:36:33 UTC239OUTGET /widget/demo/185.152.66.230 HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Referer: https://ipinfo.io/
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                                                                    Host: ipinfo.io
                                                                                                                                    2024-04-25 18:36:33 UTC514INHTTP/1.1 200 OK
                                                                                                                                    server: nginx/1.24.0
                                                                                                                                    date: Thu, 25 Apr 2024 18:36:33 GMT
                                                                                                                                    content-type: application/json; charset=utf-8
                                                                                                                                    Content-Length: 1052
                                                                                                                                    access-control-allow-origin: *
                                                                                                                                    x-frame-options: SAMEORIGIN
                                                                                                                                    x-xss-protection: 1; mode=block
                                                                                                                                    x-content-type-options: nosniff
                                                                                                                                    referrer-policy: strict-origin-when-cross-origin
                                                                                                                                    x-envoy-upstream-service-time: 3
                                                                                                                                    via: 1.1 google
                                                                                                                                    strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                    Connection: close
                                                                                                                                    2024-04-25 18:36:33 UTC741INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 38 35 2e 31 35 32 2e 36 36 2e 32 33 30 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 38 35 2e 31 35 32 2e 36 36 2e 32 33 30 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 75 6e 6e 2d 31 38 35 2d 31 35 32 2d 36 36 2d 32 33 30 2e 64 61 74 61 70 61 63 6b 65 74 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 36 30 30 36 38 20 44 61 74 61 63 61 6d 70 20 4c 69
                                                                                                                                    Data Ascii: { "input": "185.152.66.230", "data": { "ip": "185.152.66.230", "hostname": "unn-185-152-66-230.datapacket.com", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS60068 Datacamp Li
                                                                                                                                    2024-04-25 18:36:33 UTC311INData Raw: 3a 20 22 43 79 62 65 72 47 68 6f 73 74 22 0a 20 20 20 20 7d 2c 0a 20 20 20 20 22 61 62 75 73 65 22 3a 20 7b 0a 20 20 20 20 20 20 22 61 64 64 72 65 73 73 22 3a 20 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 2c 20 5a 64 65 6e 65 6b 20 43 65 6e 64 72 61 2c 20 32 30 37 20 52 65 67 65 6e 74 20 53 74 72 65 65 74 2c 20 57 31 42 20 33 48 48 2c 20 4c 6f 6e 64 6f 6e 2c 20 55 4e 49 54 45 44 20 4b 49 4e 47 44 4f 4d 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 64 61 74 61 63 61 6d 70 2e 63 6f 2e 75 6b 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 43 6f 6e 74 61 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 38 35
                                                                                                                                    Data Ascii: : "CyberGhost" }, "abuse": { "address": "Datacamp Limited, Zdenek Cendra, 207 Regent Street, W1B 3HH, London, UNITED KINGDOM", "country": "US", "email": "abuse@datacamp.co.uk", "name": "Abuse Contact", "network": "185


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    7192.168.2.549736104.26.5.154436984C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-04-25 18:36:33 UTC263OUTGET /demo/home.php?s=185.152.66.230 HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                                                                    Host: db-ip.com
                                                                                                                                    2024-04-25 18:36:34 UTC654INHTTP/1.1 200 OK
                                                                                                                                    Date: Thu, 25 Apr 2024 18:36:34 GMT
                                                                                                                                    Content-Type: application/json
                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                    Connection: close
                                                                                                                                    x-iplb-request-id: AC454652:9314_93878F2E:0050_662AA2B1_9DCA07F:7B63
                                                                                                                                    x-iplb-instance: 59128
                                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WyTWbxILDScup5AwhaQ7%2F3nehb2PN9p6VcC%2BZu3qx7CwH8CHyv7b45vQJViAmDn1szWgM6kFQPjWnrqdKw4LrvpiEXs804coItj1hZ3WsFtlLxNQ0ip%2BpJ8KMA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                    Server: cloudflare
                                                                                                                                    CF-RAY: 87a07078193d6787-ATL
                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                    2024-04-25 18:36:34 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                                                                    Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                                                                    2024-04-25 18:36:34 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                    Data Ascii: 0


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    8192.168.2.54973734.117.186.1924434204C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-04-25 18:36:40 UTC239OUTGET /widget/demo/185.152.66.230 HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Referer: https://ipinfo.io/
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                                                                    Host: ipinfo.io
                                                                                                                                    2024-04-25 18:36:40 UTC514INHTTP/1.1 200 OK
                                                                                                                                    server: nginx/1.24.0
                                                                                                                                    date: Thu, 25 Apr 2024 18:36:40 GMT
                                                                                                                                    content-type: application/json; charset=utf-8
                                                                                                                                    Content-Length: 1052
                                                                                                                                    access-control-allow-origin: *
                                                                                                                                    x-frame-options: SAMEORIGIN
                                                                                                                                    x-xss-protection: 1; mode=block
                                                                                                                                    x-content-type-options: nosniff
                                                                                                                                    referrer-policy: strict-origin-when-cross-origin
                                                                                                                                    x-envoy-upstream-service-time: 4
                                                                                                                                    via: 1.1 google
                                                                                                                                    strict-transport-security: max-age=2592000; includeSubDomains
                                                                                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                    Connection: close
                                                                                                                                    2024-04-25 18:36:40 UTC741INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 38 35 2e 31 35 32 2e 36 36 2e 32 33 30 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 38 35 2e 31 35 32 2e 36 36 2e 32 33 30 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 75 6e 6e 2d 31 38 35 2d 31 35 32 2d 36 36 2d 32 33 30 2e 64 61 74 61 70 61 63 6b 65 74 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 41 74 6c 61 6e 74 61 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 47 65 6f 72 67 69 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 33 2e 37 34 39 30 2c 2d 38 34 2e 33 38 38 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 36 30 30 36 38 20 44 61 74 61 63 61 6d 70 20 4c 69
                                                                                                                                    Data Ascii: { "input": "185.152.66.230", "data": { "ip": "185.152.66.230", "hostname": "unn-185-152-66-230.datapacket.com", "city": "Atlanta", "region": "Georgia", "country": "US", "loc": "33.7490,-84.3880", "org": "AS60068 Datacamp Li
                                                                                                                                    2024-04-25 18:36:40 UTC311INData Raw: 3a 20 22 43 79 62 65 72 47 68 6f 73 74 22 0a 20 20 20 20 7d 2c 0a 20 20 20 20 22 61 62 75 73 65 22 3a 20 7b 0a 20 20 20 20 20 20 22 61 64 64 72 65 73 73 22 3a 20 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 2c 20 5a 64 65 6e 65 6b 20 43 65 6e 64 72 61 2c 20 32 30 37 20 52 65 67 65 6e 74 20 53 74 72 65 65 74 2c 20 57 31 42 20 33 48 48 2c 20 4c 6f 6e 64 6f 6e 2c 20 55 4e 49 54 45 44 20 4b 49 4e 47 44 4f 4d 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 64 61 74 61 63 61 6d 70 2e 63 6f 2e 75 6b 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 43 6f 6e 74 61 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 38 35
                                                                                                                                    Data Ascii: : "CyberGhost" }, "abuse": { "address": "Datacamp Limited, Zdenek Cendra, 207 Regent Street, W1B 3HH, London, UNITED KINGDOM", "country": "US", "email": "abuse@datacamp.co.uk", "name": "Abuse Contact", "network": "185


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    9192.168.2.549738104.26.5.154434204C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    2024-04-25 18:36:40 UTC263OUTGET /demo/home.php?s=185.152.66.230 HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                                                                                                    Host: db-ip.com
                                                                                                                                    2024-04-25 18:36:41 UTC654INHTTP/1.1 200 OK
                                                                                                                                    Date: Thu, 25 Apr 2024 18:36:41 GMT
                                                                                                                                    Content-Type: application/json
                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                    Connection: close
                                                                                                                                    x-iplb-request-id: AC471EBF:56C0_93878F2E:0050_662AA2B9_9DCA121:7B63
                                                                                                                                    x-iplb-instance: 59128
                                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BYLU3AdwzGky3oD4U6K3xyupQPERfmGxF05yY5UwMa1zJWyAQWYGlrSn4TVXZronIBeDRUTf%2BRlmPne6ay5n7e1BHeGbRekA%2F33SheFiRh3r5jkViU%2FOuPK4MQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                    Server: cloudflare
                                                                                                                                    CF-RAY: 87a070a49d937ba0-ATL
                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                    2024-04-25 18:36:41 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                                                                                                    Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                                                                                                    2024-04-25 18:36:41 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                    Data Ascii: 0


                                                                                                                                    Statistics

                                                                                                                                    CPU Usage

                                                                                                                                    Click to jump to process

                                                                                                                                    Memory Usage

                                                                                                                                    Click to jump to process

                                                                                                                                    High Level Behavior Distribution

                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                    Behavior

                                                                                                                                    Click to jump to process

                                                                                                                                    System Behavior

                                                                                                                                    General

                                                                                                                                    Target ID:0
                                                                                                                                    Start time:20:35:56
                                                                                                                                    Start date:25/04/2024
                                                                                                                                    Path:C:\Users\user\Desktop\file.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                                    Imagebase:0x7a0000
                                                                                                                                    File size:2'270'736 bytes
                                                                                                                                    MD5 hash:6795EFBA98699A0CAE3C4F729B83ACE9
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Yara matches:
                                                                                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2326694552.0000000005DC4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    Reputation:low
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:2
                                                                                                                                    Start time:20:35:58
                                                                                                                                    Start date:25/04/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                                                                                                                    Imagebase:0x660000
                                                                                                                                    File size:187'904 bytes
                                                                                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:3
                                                                                                                                    Start time:20:35:58
                                                                                                                                    Start date:25/04/2024
                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                    Imagebase:0x7ff6d64d0000
                                                                                                                                    File size:862'208 bytes
                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:4
                                                                                                                                    Start time:20:35:58
                                                                                                                                    Start date:25/04/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                                                                                                                    Imagebase:0x660000
                                                                                                                                    File size:187'904 bytes
                                                                                                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:5
                                                                                                                                    Start time:20:35:58
                                                                                                                                    Start date:25/04/2024
                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                    Imagebase:0x7ff6d64d0000
                                                                                                                                    File size:862'208 bytes
                                                                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:6
                                                                                                                                    Start time:20:35:59
                                                                                                                                    Start date:25/04/2024
                                                                                                                                    Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    Imagebase:0x240000
                                                                                                                                    File size:2'270'736 bytes
                                                                                                                                    MD5 hash:6795EFBA98699A0CAE3C4F729B83ACE9
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Yara matches:
                                                                                                                                    • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000002.2333459442.00000000059B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    Antivirus matches:
                                                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                                                    • Detection: 39%, Virustotal, Browse
                                                                                                                                    • Detection: 32%, ReversingLabs
                                                                                                                                    Reputation:low
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:7
                                                                                                                                    Start time:20:35:59
                                                                                                                                    Start date:25/04/2024
                                                                                                                                    Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                    Imagebase:0x240000
                                                                                                                                    File size:2'270'736 bytes
                                                                                                                                    MD5 hash:6795EFBA98699A0CAE3C4F729B83ACE9
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:low
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:8
                                                                                                                                    Start time:20:36:07
                                                                                                                                    Start date:25/04/2024
                                                                                                                                    Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                                                                                                                    Imagebase:0xe00000
                                                                                                                                    File size:2'270'736 bytes
                                                                                                                                    MD5 hash:6795EFBA98699A0CAE3C4F729B83ACE9
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Antivirus matches:
                                                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                                                    • Detection: 32%, ReversingLabs
                                                                                                                                    • Detection: 39%, Virustotal, Browse
                                                                                                                                    Reputation:low
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:11
                                                                                                                                    Start time:20:36:10
                                                                                                                                    Start date:25/04/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 1948
                                                                                                                                    Imagebase:0x160000
                                                                                                                                    File size:483'680 bytes
                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:14
                                                                                                                                    Start time:20:36:14
                                                                                                                                    Start date:25/04/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1152
                                                                                                                                    Imagebase:0x160000
                                                                                                                                    File size:483'680 bytes
                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:16
                                                                                                                                    Start time:20:36:16
                                                                                                                                    Start date:25/04/2024
                                                                                                                                    Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                                                                                                                    Imagebase:0xe00000
                                                                                                                                    File size:2'270'736 bytes
                                                                                                                                    MD5 hash:6795EFBA98699A0CAE3C4F729B83ACE9
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:low
                                                                                                                                    Has exited:true

                                                                                                                                    Disassembly

                                                                                                                                    Reset < >

                                                                                                                                      Execution Graph

                                                                                                                                      Execution Coverage:25.4%
                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                      Signature Coverage:50.6%
                                                                                                                                      Total number of Nodes:2000
                                                                                                                                      Total number of Limit Nodes:34
                                                                                                                                      execution_graph 47297 806b40 47298 806b8a 47297->47298 47300 808520 47298->47300 47301 7bab20 42 API calls 47298->47301 47304 80956b 47298->47304 47299 809954 47398 82ff60 47299->47398 47305 7bab20 42 API calls 47300->47305 47303 806c21 47301->47303 47423 884050 47303->47423 47304->47299 47314 7bab20 42 API calls 47304->47314 47307 80860b 47305->47307 47311 7d9810 42 API calls 47307->47311 47308 809c70 47528 7b2c30 40 API calls 2 library calls 47308->47528 47321 808633 47311->47321 47312 809962 47312->47308 47319 7bab20 42 API calls 47312->47319 47316 809658 47314->47316 47315 809c82 47318 7d9810 42 API calls 47316->47318 47317 806c6a 47317->47300 47324 80791c 47317->47324 47450 7bb260 47317->47450 47327 809680 47318->47327 47322 809a51 47319->47322 47321->47304 47394 7a3350 47321->47394 47326 7d9810 42 API calls 47322->47326 47323 8084f6 47323->47300 47494 883b20 47323->47494 47324->47323 47325 7bb260 42 API calls 47324->47325 47392 80794e 47325->47392 47331 809a79 47326->47331 47327->47299 47330 7a3350 76 API calls 47327->47330 47347 809731 47330->47347 47331->47308 47336 7a3350 76 API calls 47331->47336 47332 8086dd 47334 7bb260 42 API calls 47332->47334 47339 808e14 47332->47339 47369 808703 47334->47369 47335 80994e 47340 7dd098 78 API calls 47335->47340 47348 809b2a 47336->47348 47338 809554 47342 7dd098 78 API calls 47338->47342 47339->47338 47343 7bb260 42 API calls 47339->47343 47340->47299 47341 7b30f0 42 API calls 47341->47392 47342->47304 47373 808e46 47343->47373 47344 809c6a 47346 7dd098 78 API calls 47344->47346 47345 7b3200 42 API calls 47345->47392 47346->47308 47347->47335 47349 7a3350 76 API calls 47347->47349 47348->47344 47352 7a3350 76 API calls 47348->47352 47349->47347 47350 7b30f0 42 API calls 47350->47369 47351 7a2cf0 42 API calls std::_Throw_Cpp_error 47351->47392 47352->47348 47353 7b30f0 42 API calls 47353->47373 47354 7b3200 42 API calls 47354->47369 47355 7b3200 42 API calls 47355->47373 47356 7a2cf0 42 API calls std::_Throw_Cpp_error 47356->47369 47357 7baf80 42 API calls 47389 806c99 47357->47389 47358 7a2cf0 42 API calls std::_Throw_Cpp_error 47358->47373 47359 7baf80 42 API calls 47359->47369 47360 7bb400 42 API calls 47360->47392 47361 7bb400 42 API calls 47361->47389 47362 7b63b0 42 API calls std::_Throw_Cpp_error 47362->47389 47363 7baf80 42 API calls 47363->47392 47364 7b6240 42 API calls 47364->47389 47365 7bb400 42 API calls 47365->47369 47366 7baf80 42 API calls 47366->47373 47367 7b6240 42 API calls 47367->47392 47368 884050 88 API calls 47368->47389 47369->47339 47369->47350 47369->47354 47369->47356 47369->47359 47369->47365 47371 7a3350 76 API calls 47369->47371 47370 884050 88 API calls 47370->47392 47371->47369 47372 883fc0 87 API calls 47372->47389 47373->47338 47373->47353 47373->47355 47373->47358 47373->47366 47374 7a3350 76 API calls 47373->47374 47377 7bb400 42 API calls 47373->47377 47374->47373 47375 883fc0 87 API calls 47375->47392 47376 7b63b0 42 API calls std::_Throw_Cpp_error 47376->47392 47377->47373 47378 7a2cf0 42 API calls std::_Throw_Cpp_error 47378->47389 47380 7bac50 42 API calls 47380->47392 47382 884120 78 API calls 47382->47389 47384 884120 78 API calls 47384->47392 47385 7d9810 42 API calls 47385->47389 47386 7d9810 42 API calls 47386->47392 47387 7bac50 42 API calls 47387->47389 47388 7a3350 76 API calls 47388->47389 47389->47324 47389->47357 47389->47361 47389->47362 47389->47364 47389->47368 47389->47372 47389->47378 47389->47382 47389->47385 47389->47387 47389->47388 47390 7dd098 78 API calls 47389->47390 47467 7b30f0 47389->47467 47476 7b3200 47389->47476 47491 883820 42 API calls 47389->47491 47492 7b6210 42 API calls std::_Throw_Cpp_error 47389->47492 47390->47389 47391 7a3350 76 API calls 47391->47392 47392->47323 47392->47341 47392->47345 47392->47351 47392->47360 47392->47363 47392->47367 47392->47370 47392->47375 47392->47376 47392->47380 47392->47384 47392->47386 47392->47391 47393 7dd098 78 API calls 47392->47393 47493 7b6210 42 API calls std::_Throw_Cpp_error 47392->47493 47393->47392 47395 7a3367 47394->47395 47529 7e0d23 47395->47529 47643 831680 47398->47643 47400 82ffcd 47400->47312 47401 82ffc7 47401->47400 47402 7a3040 std::_Throw_Cpp_error 42 API calls 47401->47402 47403 83000e 47402->47403 47405 7b8f00 std::_Throw_Cpp_error 42 API calls 47403->47405 47406 8300c0 47405->47406 47667 8313f0 46 API calls 2 library calls 47406->47667 47408 7b85d0 78 API calls 47410 830569 47408->47410 47409 830594 47412 7d8c60 std::_Throw_Cpp_error 40 API calls 47409->47412 47410->47400 47411 7be8a0 42 API calls 47421 8300e7 std::ios_base::_Ios_base_dtor std::locale::_Locimp::_Locimp 47411->47421 47414 83059e 47412->47414 47413 7bad80 42 API calls 47413->47421 47415 7bab20 42 API calls 47415->47421 47418 7a32d0 std::_Throw_Cpp_error 42 API calls 47418->47421 47419 7b63b0 42 API calls std::_Throw_Cpp_error 47419->47421 47421->47409 47421->47411 47421->47413 47421->47415 47421->47418 47421->47419 47422 830553 47421->47422 47668 830ba0 47 API calls 4 library calls 47421->47668 47669 8305a0 52 API calls 4 library calls 47421->47669 47670 7c2ac0 42 API calls 4 library calls 47421->47670 47422->47408 47424 7d2b89 12 API calls 47423->47424 47425 884080 47424->47425 47426 8840fd 47425->47426 47427 884087 47425->47427 47428 7d2524 std::_Throw_Cpp_error 78 API calls 47426->47428 47429 884093 47427->47429 47430 884104 47427->47430 47428->47430 47435 8840ab GetFileAttributesA 47429->47435 47437 8840c2 47429->47437 47431 7d2524 std::_Throw_Cpp_error 78 API calls 47430->47431 47432 884115 47431->47432 47433 7d2b9a RtlReleaseSRWLockExclusive 47434 806c47 47433->47434 47434->47317 47438 883fc0 47434->47438 47436 8840b7 GetLastError 47435->47436 47435->47437 47436->47437 47437->47433 47439 7d2b89 12 API calls 47438->47439 47440 883fed 47439->47440 47441 884032 47440->47441 47442 883ff4 47440->47442 47445 7d2524 std::_Throw_Cpp_error 78 API calls 47441->47445 47443 884039 47442->47443 47444 884000 CreateDirectoryA 47442->47444 47446 7d2524 std::_Throw_Cpp_error 78 API calls 47443->47446 47447 7d2b9a RtlReleaseSRWLockExclusive 47444->47447 47445->47443 47448 88404a 47446->47448 47449 88401e 47447->47449 47449->47317 47451 7d3662 std::_Facet_Register 42 API calls 47450->47451 47452 7bb2b8 47451->47452 47453 7bb2e2 47452->47453 47454 7bb3b4 47452->47454 47455 7d3662 std::_Facet_Register 42 API calls 47453->47455 47457 7a2cf0 std::_Throw_Cpp_error 42 API calls 47454->47457 47456 7bb2f7 47455->47456 47672 7ce7d0 47456->47672 47458 7bb3c4 47457->47458 47459 7bace0 42 API calls 47458->47459 47461 7bb3d9 47459->47461 47462 7a7cf0 42 API calls 47461->47462 47463 7bb3ee 47462->47463 47464 7d51eb std::_Throw_Cpp_error RaiseException 47463->47464 47465 7bb3ff 47464->47465 47466 7bb33b std::ios_base::_Ios_base_dtor 47466->47389 47468 7b316c 47467->47468 47469 7b3114 47467->47469 47470 7a2cf0 std::_Throw_Cpp_error 42 API calls 47468->47470 47469->47389 47471 7b3179 47470->47471 47720 7a7b10 42 API calls 3 library calls 47471->47720 47473 7b3191 47477 7b325c 47476->47477 47481 7b3225 47476->47481 47479 7a2cf0 std::_Throw_Cpp_error 42 API calls 47477->47479 47478 7b3235 47478->47389 47480 7b3269 47479->47480 47721 7a7b10 42 API calls 3 library calls 47480->47721 47481->47478 47483 7a2cf0 std::_Throw_Cpp_error 42 API calls 47481->47483 47485 7b329f 47483->47485 47484 7b3281 47722 7a7b10 42 API calls 3 library calls 47485->47722 47488 7b32b7 47491->47389 47492->47389 47493->47392 47495 7d2b89 12 API calls 47494->47495 47496 883b6e 47495->47496 47497 883b79 47496->47497 47498 883f95 47496->47498 47499 883b89 47497->47499 47500 883f9c 47497->47500 47501 7d2524 std::_Throw_Cpp_error 78 API calls 47498->47501 47502 883fad 47499->47502 47504 7be8a0 42 API calls 47499->47504 47503 7d2524 std::_Throw_Cpp_error 78 API calls 47500->47503 47501->47500 47506 7d8c60 std::_Throw_Cpp_error 40 API calls 47502->47506 47503->47502 47505 883bf7 47504->47505 47509 883c82 FindFirstFileA 47505->47509 47507 883fb7 47506->47507 47508 7d8c60 std::_Throw_Cpp_error 40 API calls 47507->47508 47510 883fbc 47508->47510 47511 883ea7 std::ios_base::_Ios_base_dtor 47509->47511 47512 883ca7 47509->47512 47511->47507 47513 883f50 std::ios_base::_Ios_base_dtor 47511->47513 47512->47502 47516 7be8a0 42 API calls 47512->47516 47517 7b8f00 std::_Throw_Cpp_error 42 API calls 47512->47517 47518 883e29 SetFileAttributesA 47512->47518 47519 883b20 86 API calls 47512->47519 47514 7d2b9a RtlReleaseSRWLockExclusive 47513->47514 47515 883f7d 47514->47515 47515->47300 47516->47512 47517->47512 47520 883e48 DeleteFileA 47518->47520 47521 883ed0 GetLastError 47518->47521 47519->47518 47520->47521 47522 883e5e FindNextFileA 47520->47522 47521->47511 47522->47512 47523 883e77 FindClose GetLastError 47522->47523 47523->47511 47524 883e8d SetFileAttributesA 47523->47524 47524->47511 47528->47315 47530 7e0d37 ___std_exception_copy 47529->47530 47531 7e0d59 47530->47531 47533 7e0d80 47530->47533 47546 7d8bd3 40 API calls 2 library calls 47531->47546 47538 7de386 47533->47538 47534 7e0d74 47536 7d898c ___std_exception_copy 40 API calls 47534->47536 47537 7a3371 47536->47537 47537->47332 47539 7de392 __fread_nolock 47538->47539 47547 7e1240 RtlEnterCriticalSection 47539->47547 47541 7de3a0 47548 7df2bb 47541->47548 47546->47534 47547->47541 47560 7ec89c 47548->47560 47550 7df2e2 47567 7df503 47550->47567 47584 7ec85e 47560->47584 47562 7ec8ad 47563 7ec90f 47562->47563 47591 7eb086 RtlEnterCriticalSection RtlLeaveCriticalSection RtlAllocateHeap __dosmaperr std::_Facet_Register 47562->47591 47563->47550 47565 7ec906 47566 7eb00c __freea 2 API calls 47565->47566 47566->47563 47592 7e0ac5 47567->47592 47585 7ec86a 47584->47585 47586 7ec894 47585->47586 47587 7ea1db __fread_nolock 40 API calls 47585->47587 47586->47562 47588 7ec885 47587->47588 47589 7f3bd1 __fread_nolock 40 API calls 47588->47589 47590 7ec88b 47589->47590 47590->47562 47591->47565 47593 7e0af2 47592->47593 47594 7e0ad0 47592->47594 47634 7e0b2e 40 API calls 2 library calls 47593->47634 47633 7d8bd3 40 API calls 2 library calls 47594->47633 47597 7df51e 47633->47597 47634->47597 47644 7e23dc ___std_exception_copy 3 API calls 47643->47644 47645 8316c5 __fread_nolock 47644->47645 47646 7e23dc ___std_exception_copy 3 API calls 47645->47646 47647 8316e4 __fread_nolock 47646->47647 47648 8316f7 RegOpenKeyExA 47647->47648 47649 8318b7 RegQueryValueExA RegCloseKey 47648->47649 47650 831a3b 47648->47650 47649->47650 47651 8318e5 47649->47651 47650->47401 47652 7a3040 std::_Throw_Cpp_error 42 API calls 47651->47652 47653 83190a 47652->47653 47654 831a50 47653->47654 47655 831939 47653->47655 47671 7b9e60 42 API calls 47654->47671 47656 7a3040 std::_Throw_Cpp_error 42 API calls 47655->47656 47660 831955 std::locale::_Locimp::_Locimp 47656->47660 47658 831a55 47659 7d8c60 std::_Throw_Cpp_error 40 API calls 47658->47659 47665 8319d9 47659->47665 47660->47658 47662 8319b7 std::ios_base::_Ios_base_dtor 47660->47662 47661 7d8c60 std::_Throw_Cpp_error 40 API calls 47663 831a5f 47661->47663 47664 7e1c86 __freea 2 API calls 47662->47664 47664->47665 47665->47661 47666 831a09 std::ios_base::_Ios_base_dtor 47665->47666 47666->47401 47667->47421 47668->47421 47669->47421 47670->47421 47675 7ce81a 47672->47675 47680 7ce9ef 47672->47680 47674 7b63b0 42 API calls std::_Throw_Cpp_error 47674->47675 47675->47674 47676 7cea0a 47675->47676 47678 7d3662 std::_Facet_Register 42 API calls 47675->47678 47675->47680 47681 7b3d50 47675->47681 47714 7a7260 42 API calls 47676->47714 47678->47675 47679 7cea0f 47679->47466 47680->47466 47682 7b3d8f 47681->47682 47713 7b3df7 std::locale::_Locimp::_Locimp 47681->47713 47683 7b3e69 47682->47683 47684 7b3f1e 47682->47684 47685 7b3f7d 47682->47685 47686 7b3d96 47682->47686 47682->47713 47688 7d3662 std::_Facet_Register 42 API calls 47683->47688 47717 7b7e80 42 API calls 2 library calls 47684->47717 47690 7d3662 std::_Facet_Register 42 API calls 47685->47690 47689 7d3662 std::_Facet_Register 42 API calls 47686->47689 47691 7b3e73 47688->47691 47692 7b3da0 47689->47692 47693 7b3f8a 47690->47693 47691->47713 47716 7cbf20 42 API calls 3 library calls 47691->47716 47694 7d3662 std::_Facet_Register 42 API calls 47692->47694 47697 7b408e 47693->47697 47698 7b3fd3 47693->47698 47693->47713 47696 7b3dd2 47694->47696 47715 7cf450 42 API calls 2 library calls 47696->47715 47718 7a3330 42 API calls 47697->47718 47699 7b3fdb 47698->47699 47700 7b4004 47698->47700 47703 7b4093 47699->47703 47704 7b3fe6 47699->47704 47705 7d3662 std::_Facet_Register 42 API calls 47700->47705 47705->47713 47708 7b3eb1 47709 7b3d50 42 API calls 47708->47709 47708->47713 47709->47708 47713->47675 47714->47679 47715->47713 47716->47708 47717->47713 47720->47473 47721->47484 47722->47488 48154 7a2e70 48155 7a2e88 48154->48155 48156 7a2ea9 48154->48156 48157 7a2f60 48156->48157 48158 7a32d0 std::_Throw_Cpp_error 42 API calls 48156->48158 48160 7a2eee std::locale::_Locimp::_Locimp 48158->48160 48159 7a2f3c std::locale::_Locimp::_Locimp 48160->48159 48161 7a2fe0 std::_Throw_Cpp_error 40 API calls 48160->48161 48162 7a2f2b 48161->48162 50051 803650 50104 803699 50051->50104 50052 8036b1 50054 7bab20 42 API calls 50052->50054 50053 7bab20 42 API calls 50053->50104 50055 805a89 50054->50055 50057 884050 88 API calls 50055->50057 50056 884050 88 API calls 50056->50104 50058 805aaf 50057->50058 50059 805ab3 CreateDirectoryA 50058->50059 50061 805ade 50058->50061 50059->50061 50062 8065f7 50059->50062 50060 806849 50065 7b85d0 78 API calls 50060->50065 50063 7bb260 42 API calls 50061->50063 50068 8065cd 50061->50068 50062->50060 50069 7bab20 42 API calls 50062->50069 50103 805b06 50063->50103 50064 7bb260 42 API calls 50064->50104 50067 806867 50065->50067 50066 883b20 95 API calls 50066->50062 50068->50062 50068->50066 50070 806742 50069->50070 50072 7d9810 42 API calls 50070->50072 50071 883b20 95 API calls 50071->50104 50075 80676a 50072->50075 50073 806843 50074 7dd098 78 API calls 50073->50074 50074->50060 50075->50060 50075->50073 50076 7a3350 76 API calls 50075->50076 50076->50075 50077 7b3200 42 API calls 50077->50104 50078 7bb260 42 API calls 50078->50103 50079 7b63b0 42 API calls std::_Throw_Cpp_error 50079->50103 50080 7b63b0 42 API calls std::_Throw_Cpp_error 50080->50104 50081 7bac50 42 API calls 50081->50104 50082 7b6240 42 API calls 50082->50104 50084 7b6240 42 API calls 50084->50103 50085 7a2cf0 42 API calls std::_Throw_Cpp_error 50085->50103 50086 7b6210 42 API calls 50086->50104 50087 805cc9 CreateDirectoryA 50087->50103 50088 7bac50 42 API calls 50088->50103 50089 884050 88 API calls 50089->50103 50090 7d9810 42 API calls 50090->50103 50091 805dd8 CreateDirectoryA 50091->50103 50092 883fc0 87 API calls 50092->50104 50093 7bae20 42 API calls 50093->50103 50094 7bae20 42 API calls 50094->50104 50095 7d9810 42 API calls 50095->50104 50096 7babb0 42 API calls 50096->50103 50097 7babb0 42 API calls 50097->50104 50098 7b30f0 42 API calls 50098->50103 50099 7b3200 42 API calls 50099->50103 50100 7dd098 78 API calls 50100->50103 50101 7b30f0 42 API calls 50101->50104 50102 7dd098 78 API calls 50102->50104 50103->50068 50103->50078 50103->50079 50103->50084 50103->50085 50103->50087 50103->50088 50103->50089 50103->50090 50103->50091 50103->50093 50103->50096 50103->50098 50103->50099 50103->50100 50106 7baf80 42 API calls 50103->50106 50108 7bb400 42 API calls 50103->50108 50109 7a3350 76 API calls 50103->50109 50115 7b6210 42 API calls std::_Throw_Cpp_error 50103->50115 50116 7b5310 45 API calls std::_Throw_Cpp_error 50103->50116 50104->50052 50104->50053 50104->50056 50104->50064 50104->50071 50104->50077 50104->50080 50104->50081 50104->50082 50104->50086 50104->50092 50104->50094 50104->50095 50104->50097 50104->50101 50104->50102 50105 7a2cf0 42 API calls std::_Throw_Cpp_error 50104->50105 50107 7baf80 42 API calls 50104->50107 50111 7bb400 42 API calls 50104->50111 50112 7bbae0 42 API calls 50104->50112 50113 7bb1e0 42 API calls 50104->50113 50114 7a3350 76 API calls 50104->50114 50105->50104 50106->50103 50107->50104 50108->50103 50109->50103 50111->50104 50112->50104 50113->50104 50114->50104 50115->50103 50116->50103 50236 7fdc20 50237 7fdc6d 50236->50237 50238 7fdd52 50236->50238 50240 7bab20 42 API calls 50237->50240 50239 7bab20 42 API calls 50238->50239 50241 7fddbd 50239->50241 50242 7fdcc9 50240->50242 50243 7b63b0 std::_Throw_Cpp_error 42 API calls 50241->50243 50316 7bb980 42 API calls 50242->50316 50245 7fddd8 50243->50245 50252 81f730 50245->50252 50247 7fdd20 50317 8833a0 16 API calls 2 library calls 50247->50317 50249 7fdd40 50250 7b88d0 40 API calls 50249->50250 50250->50238 50251 7fdde5 50253 884050 88 API calls 50252->50253 50263 81f78c __fread_nolock std::locale::_Locimp::_Locimp 50253->50263 50254 821f5c 50254->50251 50255 821fbd 50256 7a2cf0 std::_Throw_Cpp_error 42 API calls 50255->50256 50257 821fcd 50256->50257 50392 7a7b10 42 API calls 3 library calls 50257->50392 50259 821fe8 50262 7d51eb std::_Throw_Cpp_error RaiseException 50259->50262 50260 8220b8 50261 7a2cf0 std::_Throw_Cpp_error 42 API calls 50260->50261 50264 8220c8 50261->50264 50265 821ffc 50262->50265 50263->50254 50263->50255 50263->50260 50263->50265 50266 7baf80 42 API calls 50263->50266 50269 821f7e 50263->50269 50271 822001 50263->50271 50278 822006 50263->50278 50282 82200b 50263->50282 50284 7bb0e0 42 API calls 50263->50284 50289 822064 50263->50289 50301 883880 45 API calls 50263->50301 50302 8202b3 SHGetFolderPathA 50263->50302 50303 8205b5 SHGetFolderPathA 50263->50303 50304 8208b3 SHGetFolderPathA 50263->50304 50305 820c13 SHGetFolderPathA 50263->50305 50306 7a3040 42 API calls std::_Throw_Cpp_error 50263->50306 50307 820f3b SHGetFolderPathA 50263->50307 50308 7a2fe0 40 API calls std::_Throw_Cpp_error 50263->50308 50309 821245 SHGetFolderPathA 50263->50309 50310 7a32d0 42 API calls std::_Throw_Cpp_error 50263->50310 50312 7d3662 42 API calls std::_Facet_Register 50263->50312 50313 7b8b00 42 API calls 50263->50313 50314 7b85d0 78 API calls 50263->50314 50315 7b63b0 42 API calls std::_Throw_Cpp_error 50263->50315 50318 7e12a7 50 API calls ___std_exception_copy 50263->50318 50319 822100 50263->50319 50390 7b6130 42 API calls 2 library calls 50263->50390 50395 7a7b10 42 API calls 3 library calls 50264->50395 50268 7d8c60 std::_Throw_Cpp_error 40 API calls 50265->50268 50266->50263 50268->50271 50272 7a2cf0 std::_Throw_Cpp_error 42 API calls 50269->50272 50270 8220e3 50273 7d51eb std::_Throw_Cpp_error RaiseException 50270->50273 50393 7a2b50 42 API calls 3 library calls 50271->50393 50275 821f8e 50272->50275 50277 8220f7 50273->50277 50391 7a7b10 42 API calls 3 library calls 50275->50391 50394 7a3330 42 API calls 50278->50394 50279 821fa9 50281 7d51eb std::_Throw_Cpp_error RaiseException 50279->50281 50281->50255 50283 7a2cf0 std::_Throw_Cpp_error 42 API calls 50282->50283 50285 822023 50283->50285 50284->50263 50286 7bace0 42 API calls 50285->50286 50287 822038 50286->50287 50288 7a7cf0 42 API calls 50287->50288 50290 822050 50288->50290 50294 7a2cf0 std::_Throw_Cpp_error 42 API calls 50289->50294 50292 7d51eb std::_Throw_Cpp_error RaiseException 50290->50292 50292->50289 50295 822077 50294->50295 50296 7bace0 42 API calls 50295->50296 50297 82208c 50296->50297 50298 7a7cf0 42 API calls 50297->50298 50299 8220a4 50298->50299 50300 7d51eb std::_Throw_Cpp_error RaiseException 50299->50300 50300->50260 50301->50263 50302->50263 50303->50263 50304->50263 50305->50263 50306->50263 50307->50263 50308->50263 50309->50263 50310->50263 50312->50263 50313->50263 50314->50263 50315->50263 50316->50247 50317->50249 50318->50263 50320 822161 50319->50320 50321 823884 50319->50321 50323 884050 88 API calls 50320->50323 50324 8238fa 50320->50324 50425 7d39a3 RtlAcquireSRWLockExclusive RtlReleaseSRWLockExclusive SleepConditionVariableSRW 50321->50425 50327 822171 50323->50327 50426 7a2b50 42 API calls 3 library calls 50324->50426 50326 8238ff 50427 7a3330 42 API calls 50326->50427 50329 822558 50327->50329 50333 7b63b0 std::_Throw_Cpp_error 42 API calls 50327->50333 50337 823799 50327->50337 50331 7b63b0 std::_Throw_Cpp_error 42 API calls 50329->50331 50329->50337 50330 823904 50338 7d8c60 std::_Throw_Cpp_error 40 API calls 50330->50338 50334 822578 50331->50334 50332 8237f7 50340 823835 50332->50340 50341 82382c 50332->50341 50335 8221d0 50333->50335 50336 8633b0 46 API calls 50334->50336 50339 8633b0 46 API calls 50335->50339 50388 82258f std::ios_base::_Ios_base_dtor __fread_nolock std::locale::_Locimp::_Locimp 50336->50388 50337->50332 50337->50337 50347 7a3040 std::_Throw_Cpp_error 42 API calls 50337->50347 50342 82390e 50338->50342 50355 8221e7 50339->50355 50424 7b3340 42 API calls 2 library calls 50340->50424 50423 7b3340 42 API calls 2 library calls 50341->50423 50343 822546 50350 7b85d0 78 API calls 50343->50350 50346 823787 50348 7b85d0 78 API calls 50346->50348 50349 8237e7 50347->50349 50348->50337 50351 883b20 95 API calls 50349->50351 50350->50329 50351->50332 50352 7b63b0 std::_Throw_Cpp_error 42 API calls 50352->50355 50353 823831 50357 7b85d0 78 API calls 50353->50357 50355->50343 50355->50352 50366 82226a 50355->50366 50396 7b5350 50355->50396 50419 823ac0 78 API calls 50355->50419 50359 823860 50357->50359 50360 7b85d0 78 API calls 50359->50360 50361 82386f 50360->50361 50361->50263 50362 7bab20 42 API calls 50362->50366 50363 7d3662 42 API calls std::_Facet_Register 50363->50388 50364 7b63b0 42 API calls std::_Throw_Cpp_error 50364->50388 50365 7bad80 42 API calls 50365->50366 50366->50362 50366->50365 50367 822390 CreateDirectoryA 50366->50367 50369 7bab20 42 API calls 50367->50369 50368 7bad80 42 API calls 50368->50388 50376 822481 50369->50376 50370 7b63b0 std::_Throw_Cpp_error 42 API calls 50370->50376 50371 7bad80 42 API calls 50371->50376 50372 7b5350 42 API calls 50372->50376 50373 7b5350 42 API calls 50373->50388 50374 7be8a0 42 API calls 50374->50388 50376->50370 50376->50371 50376->50372 50377 822100 135 API calls 50376->50377 50377->50355 50378 7a32d0 42 API calls std::_Throw_Cpp_error 50378->50388 50379 822b52 CreateDirectoryA 50379->50388 50380 8236dc CopyFileA 50381 8236ff 50380->50381 50380->50388 50381->50388 50383 822e12 CoInitialize 50383->50388 50384 7b88d0 40 API calls 50384->50388 50385 82301e PathFindExtensionA 50385->50388 50386 8845d0 79 API calls 50386->50388 50387 7a3040 42 API calls std::_Throw_Cpp_error 50387->50388 50388->50324 50388->50326 50388->50330 50388->50346 50388->50363 50388->50364 50388->50368 50388->50373 50388->50374 50388->50378 50388->50379 50388->50380 50388->50383 50388->50384 50388->50385 50388->50386 50388->50387 50389 7b8b00 42 API calls 50388->50389 50420 823ac0 78 API calls 50388->50420 50421 823910 106 API calls std::_Throw_Cpp_error 50388->50421 50422 8706d0 44 API calls 50388->50422 50389->50388 50390->50263 50391->50279 50392->50259 50393->50278 50395->50270 50397 7b53a0 50396->50397 50398 7b5439 50396->50398 50399 7b53ab 50397->50399 50400 7b5469 50397->50400 50398->50355 50401 7b53b9 50399->50401 50402 7b53e2 50399->50402 50435 7a3330 42 API calls 50400->50435 50404 7b546e 50401->50404 50405 7b53c4 50401->50405 50406 7d3662 std::_Facet_Register 42 API calls 50402->50406 50412 7b53d7 50402->50412 50436 7a2b50 42 API calls 3 library calls 50404->50436 50407 7d3662 std::_Facet_Register 42 API calls 50405->50407 50406->50412 50410 7b53ca 50407->50410 50409 7b5473 50411 7d8c60 std::_Throw_Cpp_error 40 API calls 50409->50411 50410->50409 50410->50412 50413 7b5478 50411->50413 50412->50398 50414 7b63b0 std::_Throw_Cpp_error 42 API calls 50412->50414 50428 7b9c20 50413->50428 50414->50412 50418 7b54d5 50419->50355 50420->50388 50421->50388 50422->50388 50423->50353 50424->50353 50425->50320 50426->50326 50429 7b9c4a 50428->50429 50430 7b9c76 50428->50430 50431 7a4900 std::_Throw_Cpp_error 42 API calls 50429->50431 50432 7b9c82 50430->50432 50437 7b50e0 42 API calls std::_Throw_Cpp_error 50430->50437 50433 7b9c63 50431->50433 50432->50418 50433->50418 50436->50409 50437->50432 50560 7ff560 50561 7ff5b4 50560->50561 50562 80010a 50560->50562 50563 7bab20 42 API calls 50561->50563 50564 7bab20 42 API calls 50562->50564 50565 7ff696 50563->50565 50566 8001fe 50564->50566 50567 884050 88 API calls 50565->50567 50568 884050 88 API calls 50566->50568 50569 7ff6bc 50567->50569 50570 800224 50568->50570 50571 883fc0 87 API calls 50569->50571 50574 7ff6df 50569->50574 50572 883fc0 87 API calls 50570->50572 50573 800247 50570->50573 50571->50574 50572->50573 50575 7bb260 42 API calls 50573->50575 50579 80193b 50573->50579 50581 801911 50573->50581 50574->50562 50576 7bb260 42 API calls 50574->50576 50580 8000e0 50574->50580 50615 800277 std::ios_base::_Ios_base_dtor 50575->50615 50613 7ff70f 50576->50613 50577 883b20 95 API calls 50577->50579 50578 883b20 95 API calls 50578->50562 50580->50562 50580->50578 50581->50577 50581->50579 50582 7b30f0 42 API calls 50582->50613 50583 7bb260 42 API calls 50583->50613 50584 7bb260 42 API calls 50584->50615 50585 7b63b0 42 API calls std::_Throw_Cpp_error 50585->50615 50586 7bac50 42 API calls 50586->50613 50587 7b63b0 42 API calls std::_Throw_Cpp_error 50587->50613 50590 7bac50 42 API calls 50590->50615 50591 884050 88 API calls 50591->50613 50592 884050 88 API calls 50592->50615 50593 7d9810 42 API calls 50593->50613 50594 7d9810 42 API calls 50594->50615 50595 883fc0 87 API calls 50595->50613 50596 883fc0 87 API calls 50596->50615 50597 7bae20 42 API calls 50597->50613 50598 7bae20 42 API calls 50598->50615 50599 7babb0 42 API calls 50599->50613 50600 7babb0 42 API calls 50600->50615 50601 7b30f0 42 API calls 50601->50615 50602 7b6240 42 API calls 50602->50613 50603 7b6240 42 API calls 50603->50615 50604 7b3200 42 API calls 50604->50615 50605 7dd098 78 API calls 50605->50615 50606 7b3200 42 API calls 50606->50613 50607 7dd098 78 API calls 50607->50613 50608 7a2cf0 42 API calls std::_Throw_Cpp_error 50608->50613 50609 7a2cf0 42 API calls std::_Throw_Cpp_error 50609->50615 50610 7baf80 42 API calls 50610->50613 50612 7a3350 76 API calls 50612->50613 50613->50580 50613->50582 50613->50583 50613->50586 50613->50587 50613->50591 50613->50593 50613->50595 50613->50597 50613->50599 50613->50602 50613->50606 50613->50607 50613->50608 50613->50610 50613->50612 50693 7b6210 42 API calls std::_Throw_Cpp_error 50613->50693 50694 7bb400 42 API calls 50613->50694 50695 7bbae0 42 API calls std::_Throw_Cpp_error 50613->50695 50615->50581 50615->50584 50615->50585 50615->50590 50615->50592 50615->50594 50615->50596 50615->50598 50615->50600 50615->50601 50615->50603 50615->50604 50615->50605 50615->50609 50616 7baf80 42 API calls 50615->50616 50618 7a3040 std::_Throw_Cpp_error 42 API calls 50615->50618 50619 7bace0 42 API calls 50615->50619 50620 801c24 50615->50620 50625 7bb400 42 API calls 50615->50625 50629 7b6260 42 API calls 50615->50629 50630 7a3350 76 API calls 50615->50630 50682 7c19a0 50615->50682 50696 7b6210 42 API calls std::_Throw_Cpp_error 50615->50696 50616->50615 50618->50615 50619->50615 50621 7d8c60 std::_Throw_Cpp_error 40 API calls 50620->50621 50622 801c29 50621->50622 50623 7bab20 42 API calls 50622->50623 50624 801d54 50623->50624 50626 884050 88 API calls 50624->50626 50625->50615 50627 801d7a 50626->50627 50628 883fc0 87 API calls 50627->50628 50631 801d9d 50627->50631 50628->50631 50629->50615 50630->50615 50632 7bb260 42 API calls 50631->50632 50634 8027de 50631->50634 50635 8027b0 50631->50635 50677 801dcd 50632->50677 50633 883b20 95 API calls 50633->50634 50636 7bab20 42 API calls 50634->50636 50635->50633 50635->50634 50637 8028c3 50636->50637 50638 884050 88 API calls 50637->50638 50639 8028e9 50638->50639 50640 883fc0 87 API calls 50639->50640 50641 80290c 50639->50641 50640->50641 50642 7bb260 42 API calls 50641->50642 50645 803349 50641->50645 50646 80331f 50641->50646 50681 80293c 50642->50681 50643 883b20 95 API calls 50643->50645 50644 7b30f0 42 API calls 50644->50677 50646->50643 50646->50645 50647 7b3200 42 API calls 50647->50677 50648 7bb260 42 API calls 50648->50677 50649 7b63b0 42 API calls std::_Throw_Cpp_error 50649->50677 50650 7b3200 42 API calls 50650->50681 50651 7bb260 42 API calls 50651->50681 50652 7bac50 42 API calls 50652->50677 50653 7b63b0 42 API calls std::_Throw_Cpp_error 50653->50681 50655 884050 88 API calls 50655->50677 50656 7bac50 42 API calls 50656->50681 50657 7d9810 42 API calls 50657->50677 50658 7b6240 42 API calls 50658->50681 50659 883fc0 87 API calls 50659->50677 50660 7bae20 42 API calls 50660->50677 50661 7babb0 42 API calls 50661->50677 50663 884050 88 API calls 50663->50681 50664 7b6240 42 API calls 50664->50677 50665 7dd098 78 API calls 50665->50677 50666 7d9810 42 API calls 50666->50681 50667 883fc0 87 API calls 50667->50681 50668 7bae20 42 API calls 50668->50681 50669 7a2cf0 42 API calls std::_Throw_Cpp_error 50669->50677 50670 7babb0 42 API calls 50670->50681 50671 7b30f0 42 API calls 50671->50681 50672 7dd098 78 API calls 50672->50681 50673 7a2cf0 42 API calls std::_Throw_Cpp_error 50673->50681 50674 7baf80 42 API calls 50674->50677 50675 7bb400 42 API calls 50675->50677 50676 7a3350 76 API calls 50676->50677 50677->50635 50677->50644 50677->50647 50677->50648 50677->50649 50677->50652 50677->50655 50677->50657 50677->50659 50677->50660 50677->50661 50677->50664 50677->50665 50677->50669 50677->50674 50677->50675 50677->50676 50697 7b6210 42 API calls std::_Throw_Cpp_error 50677->50697 50678 7bb400 42 API calls 50678->50681 50679 7a3350 76 API calls 50679->50681 50680 7baf80 42 API calls 50680->50681 50681->50646 50681->50650 50681->50651 50681->50653 50681->50656 50681->50658 50681->50663 50681->50666 50681->50667 50681->50668 50681->50670 50681->50671 50681->50672 50681->50673 50681->50678 50681->50679 50681->50680 50698 7b6210 42 API calls std::_Throw_Cpp_error 50681->50698 50683 7c19f5 50682->50683 50684 7c19d0 50682->50684 50685 7a2cf0 std::_Throw_Cpp_error 42 API calls 50683->50685 50684->50615 50686 7c1a03 50685->50686 50687 7bace0 42 API calls 50686->50687 50688 7c1a18 50687->50688 50689 7a7cf0 42 API calls 50688->50689 50690 7c1a2d 50689->50690 50691 7d51eb std::_Throw_Cpp_error RaiseException 50690->50691 50692 7c1a3e 50691->50692 50693->50613 50694->50613 50695->50613 50696->50615 50697->50677 50698->50681 43021 80a8a0 43250 80a8da 43021->43250 43022 80a901 43025 7b63b0 std::_Throw_Cpp_error 42 API calls 43022->43025 44159 7b63b0 43022->44159 43023 816644 43026 80a95c 43025->43026 43027 80a9e4 43026->43027 43029 80a9fe 43027->43029 43030 7a3040 std::_Throw_Cpp_error 42 API calls 43029->43030 44164 7a3040 43029->44164 43031 80ab79 43030->43031 43033 80aba2 43031->43033 43034 814d4b 43031->43034 44170 847d20 43031->44170 43037 80abb4 43033->43037 43035 814d59 43034->43035 43036 814d7b 43035->43036 43040 7b63b0 std::_Throw_Cpp_error 42 API calls 43036->43040 43038 80abd6 43037->43038 43039 7b63b0 std::_Throw_Cpp_error 42 API calls 43038->43039 43041 80abde 43039->43041 43042 814d8a 43040->43042 43043 80abf8 43041->43043 43050 814da7 43042->43050 43044 80abff 43043->43044 43045 7b63b0 std::_Throw_Cpp_error 42 API calls 43044->43045 43047 80ac07 43045->43047 43046 7b63b0 std::_Throw_Cpp_error 42 API calls 43046->43050 45048 7a2cf0 43047->45048 43048 7a2cf0 std::_Throw_Cpp_error 42 API calls 43048->43050 43050->43046 43050->43048 43058 814faa 43050->43058 43051 80ac81 43053 7a2cf0 std::_Throw_Cpp_error 42 API calls 43051->43053 43052 7a2cf0 std::_Throw_Cpp_error 42 API calls 43052->43058 43054 80adab 43053->43054 43055 847d20 222 API calls 43054->43055 43057 80adc4 43055->43057 43056 847d20 222 API calls 43056->43058 43060 80add9 43057->43060 43058->43052 43058->43056 43059 814fdc 43058->43059 43061 814ffe 43059->43061 43062 80adfb 43060->43062 43063 7b63b0 std::_Throw_Cpp_error 42 API calls 43061->43063 43064 7b63b0 std::_Throw_Cpp_error 42 API calls 43062->43064 43065 81500d 43063->43065 43075 81502a 43065->43075 43070 7b63b0 std::_Throw_Cpp_error 42 API calls 43070->43075 43073 7a2cf0 std::_Throw_Cpp_error 42 API calls 43073->43075 43075->43070 43075->43073 43081 81522d 43075->43081 43077 7a2cf0 std::_Throw_Cpp_error 42 API calls 43077->43081 43079 847d20 222 API calls 43079->43081 43081->43077 43081->43079 43083 81525f 43081->43083 43085 815281 43083->43085 43088 7b63b0 std::_Throw_Cpp_error 42 API calls 43085->43088 43090 815290 43088->43090 43099 8152ad 43090->43099 43093 7b63b0 std::_Throw_Cpp_error 42 API calls 43093->43099 43096 7a2cf0 std::_Throw_Cpp_error 42 API calls 43096->43099 43099->43093 43099->43096 43106 8154b0 43099->43106 43101 7a2cf0 std::_Throw_Cpp_error 42 API calls 43101->43106 43104 847d20 222 API calls 43104->43106 43106->43101 43106->43104 43107 8154e2 43106->43107 43108 815504 43107->43108 43244 7a2cf0 std::_Throw_Cpp_error 42 API calls 43244->43250 43248 847d20 222 API calls 43248->43250 43250->43022 43250->43023 43250->43244 43250->43248 44160 7b63d8 44159->44160 44161 7b63e7 44160->44161 45052 7a32d0 44160->45052 44161->43022 44163 7b642a std::locale::_Locimp::_Locimp 44163->43022 44165 7a30c8 44164->44165 44166 7a3052 44164->44166 44167 7a3057 std::locale::_Locimp::_Locimp 44166->44167 44168 7a32d0 std::_Throw_Cpp_error 42 API calls 44166->44168 44167->43029 44169 7a30a3 std::locale::_Locimp::_Locimp 44168->44169 44169->43029 45111 7d59a0 44170->45111 44175 847dcd 44178 7b63b0 std::_Throw_Cpp_error 42 API calls 44175->44178 44176 848f5a 45373 7b52b0 44176->45373 44179 847dde 44178->44179 45118 8633b0 44179->45118 44181 847df4 44182 847e14 44181->44182 44383 847e81 std::locale::_Locimp::_Locimp 44181->44383 45352 7b85d0 44182->45352 44183 848f58 44332 849000 std::ios_base::_Ios_base_dtor std::locale::_Locimp::_Locimp 44183->44332 45378 7c42a0 44183->45378 44184 848f46 44187 7b85d0 78 API calls 44184->44187 44186 847e23 44188 7b85d0 78 API calls 44186->44188 44187->44183 44197 847e2f 44188->44197 44190 84aebb 45148 7b7ef0 44190->45148 44192 84af2a 45167 7b40c0 44192->45167 44193 7be710 42 API calls 44193->44332 44197->43031 44199 7b8f00 42 API calls std::_Throw_Cpp_error 44199->44383 44205 84aeb6 44206 7d8c60 std::_Throw_Cpp_error 40 API calls 44205->44206 44206->44190 44212 7be8a0 42 API calls 44212->44332 44223 7bad80 42 API calls 44223->44332 44293 7bab20 42 API calls 44293->44332 44295 7be8a0 42 API calls 44295->44383 44299 884120 78 API calls 44299->44332 44300 7a3040 42 API calls std::_Throw_Cpp_error 44300->44332 44315 7a32d0 42 API calls std::_Throw_Cpp_error 44315->44332 44330 7b63b0 42 API calls std::_Throw_Cpp_error 44330->44332 44331 7babb0 42 API calls 44331->44383 44332->44186 44332->44190 44332->44193 44332->44205 44332->44212 44332->44223 44332->44293 44332->44299 44332->44300 44332->44315 44332->44330 44344 7c35f0 42 API calls 44332->44344 44362 7a2fe0 40 API calls std::_Throw_Cpp_error 44332->44362 45135 7b8f00 44332->45135 45144 7babb0 44332->45144 44344->44332 44359 884120 78 API calls 44359->44383 44360 7a32d0 std::_Throw_Cpp_error 42 API calls 44360->44383 44362->44332 44368 7b63b0 42 API calls std::_Throw_Cpp_error 44368->44383 44383->44184 44383->44190 44383->44199 44383->44295 44383->44331 44383->44359 44383->44360 44383->44368 45367 7a2fe0 44383->45367 45372 7c4400 45 API calls 4 library calls 44383->45372 45049 7a2d13 45048->45049 45049->45049 45050 7a3040 std::_Throw_Cpp_error 42 API calls 45049->45050 45051 7a2d25 45050->45051 45051->43051 45053 7a32e2 45052->45053 45054 7a3306 45052->45054 45055 7a32e9 45053->45055 45056 7a331f 45053->45056 45057 7a3318 45054->45057 45060 7d3662 std::_Facet_Register 42 API calls 45054->45060 45066 7d3662 45055->45066 45077 7a2b50 42 API calls 3 library calls 45056->45077 45057->44163 45062 7a3310 45060->45062 45061 7a32ef 45064 7a32f8 45061->45064 45078 7d8c60 45061->45078 45062->44163 45064->44163 45068 7d3667 45066->45068 45069 7d3681 45068->45069 45071 7a2b50 Concurrency::cancel_current_task 45068->45071 45083 7e23dc 45068->45083 45099 7e5a79 RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 45068->45099 45069->45061 45072 7d368d 45071->45072 45088 7d51eb 45071->45088 45072->45072 45074 7a2b6c 45091 7d4b05 45074->45091 45077->45061 45109 7d8b9c 40 API calls ___std_exception_copy 45078->45109 45080 7d8c6f 45110 7d8c7d 11 API calls std::locale::_Setgloballocale 45080->45110 45082 7d8c7c 45086 7eb086 __dosmaperr 45083->45086 45084 7eb0af RtlAllocateHeap 45085 7eb0c2 45084->45085 45084->45086 45085->45068 45086->45084 45086->45085 45100 7e5a79 RtlEnterCriticalSection RtlLeaveCriticalSection std::_Facet_Register 45086->45100 45089 7d5205 45088->45089 45090 7d5232 RaiseException 45088->45090 45089->45090 45090->45074 45092 7d4b12 45091->45092 45098 7a2bac 45091->45098 45092->45092 45093 7e23dc ___std_exception_copy 3 API calls 45092->45093 45092->45098 45094 7d4b2f 45093->45094 45095 7d4b3f 45094->45095 45101 7e9995 40 API calls ___std_exception_copy 45094->45101 45102 7e1c86 45095->45102 45098->45061 45099->45068 45100->45086 45101->45095 45105 7eb00c 45102->45105 45104 7e1c9e 45104->45098 45106 7eb017 RtlFreeHeap 45105->45106 45108 7eb039 __dosmaperr 45105->45108 45107 7eb02c GetLastError 45106->45107 45106->45108 45107->45108 45108->45104 45109->45080 45110->45082 45112 7d59b7 SHGetFolderPathA 45111->45112 45113 7bac50 45112->45113 45114 7bac81 45113->45114 45115 7bacd3 45114->45115 45116 7be8a0 42 API calls 45114->45116 45117 7bacb2 45116->45117 45117->44175 45117->44176 45122 863422 45118->45122 45119 7bab20 42 API calls 45120 8634d5 FindFirstFileA 45119->45120 45129 863509 std::ios_base::_Ios_base_dtor 45120->45129 45122->45119 45123 863813 45123->44181 45124 8637e7 FindNextFileA 45125 8637fd GetLastError 45124->45125 45124->45129 45126 86380c FindClose 45125->45126 45125->45129 45126->45123 45127 7bab20 42 API calls 45127->45129 45128 7a3040 std::_Throw_Cpp_error 42 API calls 45128->45129 45129->45123 45129->45124 45129->45127 45129->45128 45130 7b8f00 std::_Throw_Cpp_error 42 API calls 45129->45130 45131 86383e 45129->45131 45133 7c42a0 42 API calls 45129->45133 45130->45129 45132 7d8c60 std::_Throw_Cpp_error 40 API calls 45131->45132 45134 863843 45132->45134 45133->45129 45136 7b8f22 std::locale::_Locimp::_Locimp 45135->45136 45137 7b8f4f 45135->45137 45136->44332 45138 7a32d0 std::_Throw_Cpp_error 42 API calls 45137->45138 45139 7b902f std::ios_base::_Ios_base_dtor 45137->45139 45140 7b8fa4 std::locale::_Locimp::_Locimp 45138->45140 45139->44332 45141 7b9002 std::locale::_Locimp::_Locimp 45140->45141 45142 7a2fe0 std::_Throw_Cpp_error 40 API calls 45140->45142 45141->44332 45143 7b8fef 45142->45143 45143->44332 45145 7babe1 45144->45145 45145->45145 45146 7b8f00 std::_Throw_Cpp_error 42 API calls 45145->45146 45147 7babf6 45146->45147 45147->44332 45149 7b7f1d 45148->45149 45150 7b8034 45148->45150 45151 7b7fcb 45149->45151 45152 7b7f2b 45149->45152 45153 7b7f7c 45149->45153 45154 7b7f83 45149->45154 45155 7b7f24 45149->45155 45159 7a2cf0 std::_Throw_Cpp_error 42 API calls 45150->45159 45162 7b7f29 45150->45162 45151->44192 45158 7d3662 std::_Facet_Register 42 API calls 45152->45158 45568 7bcf80 42 API calls 2 library calls 45153->45568 45156 7d3662 std::_Facet_Register 42 API calls 45154->45156 45567 7bc3a0 42 API calls std::_Facet_Register 45155->45567 45156->45162 45158->45162 45161 7b804f 45159->45161 45569 7a7f90 42 API calls 2 library calls 45161->45569 45162->44192 45164 7b8062 45165 7d51eb std::_Throw_Cpp_error RaiseException 45164->45165 45166 7b8073 45165->45166 45171 7b40ff 45167->45171 45168 7d3662 std::_Facet_Register 42 API calls 45169 7b412e 45168->45169 45171->45168 45353 7b863c std::ios_base::_Ios_base_dtor 45352->45353 45354 7b85f3 45352->45354 45353->44186 45354->45353 45355 7d8c60 std::_Throw_Cpp_error 40 API calls 45354->45355 45368 7a3007 45367->45368 45369 7a3017 std::ios_base::_Ios_base_dtor 45367->45369 45368->45369 45370 7d8c60 std::_Throw_Cpp_error 40 API calls 45368->45370 45369->44383 45372->44383 45374 7b52fb 45373->45374 45375 7b52bb 45373->45375 45376 7c42a0 42 API calls 45374->45376 45375->44183 45377 7b5304 45376->45377 45377->44183 45379 7c43e9 45378->45379 45380 7c42fa 45378->45380 47095 7a3330 42 API calls 45379->47095 47082 7c6ff0 45380->47082 45384 7c4336 47090 7c7830 45384->47090 45386 7c43b0 45386->44332 45567->45162 45568->45162 45569->45164 47083 7c703c 47082->47083 47085 7c6ff9 47082->47085 47083->47083 47084 7c7013 47086 7c701c 47084->47086 47087 7d3662 std::_Facet_Register 42 API calls 47084->47087 47085->47083 47085->47084 47088 7d3662 std::_Facet_Register 42 API calls 47085->47088 47086->45384 47089 7c7035 47087->47089 47088->47084 47089->45384 47091 7c7882 std::ios_base::_Ios_base_dtor 47090->47091 47092 7c783d 47090->47092 47091->45386 47092->47091 47093 7d8c60 std::_Throw_Cpp_error 40 API calls 47092->47093 47723 809f60 47732 809f9b 47723->47732 47724 80a880 47725 7b63b0 42 API calls std::_Throw_Cpp_error 47725->47732 47727 7baf80 42 API calls 47727->47732 47728 7b38b0 42 API calls 47728->47732 47732->47724 47732->47725 47732->47727 47732->47728 47734 7b3d50 42 API calls 47732->47734 47735 83cbf0 47732->47735 47820 83aec0 47732->47820 47897 838a80 47732->47897 47975 8361d0 47732->47975 48049 833ed0 47732->48049 47734->47732 47736 83cc26 47735->47736 47737 7b7ef0 42 API calls 47736->47737 47738 83cc4f 47737->47738 47739 7b40c0 42 API calls 47738->47739 47740 83cc79 47739->47740 47741 7baf80 42 API calls 47740->47741 47742 83cd14 __fread_nolock 47741->47742 47743 83cd32 SHGetFolderPathA 47742->47743 47744 7bac50 42 API calls 47743->47744 47745 83cd5f 47744->47745 47746 7bab20 42 API calls 47745->47746 47747 83ce04 __fread_nolock 47746->47747 47748 83ce1e GetPrivateProfileSectionNamesA 47747->47748 47749 83ce51 std::ios_base::_Ios_base_dtor __fread_nolock std::locale::_Locimp::_Locimp 47748->47749 47751 840fad lstrlen 47749->47751 47752 83cf42 GetPrivateProfileStringA 47749->47752 47753 84101b 47749->47753 47754 7babb0 42 API calls 47749->47754 47761 7d9810 42 API calls 47749->47761 47764 841075 47749->47764 47766 84107a 47749->47766 47767 7be8a0 42 API calls 47749->47767 47768 8849f0 89 API calls 47749->47768 47770 873b40 150 API calls 47749->47770 47772 7a32d0 std::_Throw_Cpp_error 42 API calls 47749->47772 47773 7bb430 53 API calls 47749->47773 47776 8ae2b0 5 API calls 47749->47776 47779 8739a0 89 API calls 47749->47779 47781 8410ce 47749->47781 47787 8e81a0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection RtlFreeHeap GetLastError 47749->47787 47792 8e8990 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection RtlFreeHeap GetLastError 47749->47792 47793 7b30f0 42 API calls 47749->47793 47794 7b3200 42 API calls 47749->47794 47795 884050 88 API calls 47749->47795 47796 7b7ef0 42 API calls 47749->47796 47797 83f77f CreateDirectoryA 47749->47797 47799 7d3662 42 API calls std::_Facet_Register 47749->47799 47800 7bad80 42 API calls 47749->47800 47801 7b3d50 42 API calls 47749->47801 47802 7a3040 42 API calls std::_Throw_Cpp_error 47749->47802 47803 7a2fe0 40 API calls std::_Throw_Cpp_error 47749->47803 47804 7bb0e0 42 API calls 47749->47804 47805 83fa66 CreateDirectoryA 47749->47805 47806 7bb7b0 42 API calls 47749->47806 47807 7bab20 42 API calls 47749->47807 47808 7c6db0 42 API calls 47749->47808 47809 7a2cf0 std::_Throw_Cpp_error 42 API calls 47749->47809 47811 7bace0 42 API calls 47749->47811 47812 884120 78 API calls 47749->47812 47813 7b3980 42 API calls 47749->47813 47814 7baf80 42 API calls 47749->47814 47816 841130 154 API calls 47749->47816 47817 7e1618 75 API calls 47749->47817 47819 7dd098 78 API calls 47749->47819 48125 7e0f9e 47749->48125 48135 7cc070 42 API calls 2 library calls 47749->48135 48136 7c4900 42 API calls 47749->48136 48137 8e82d0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection RtlFreeHeap GetLastError 47749->48137 48138 7bb9d0 42 API calls 2 library calls 47749->48138 48139 7b36c0 42 API calls std::_Throw_Cpp_error 47749->48139 47751->47749 47755 840fc3 47751->47755 47752->47749 47756 7a2cf0 std::_Throw_Cpp_error 42 API calls 47753->47756 47754->47749 47755->47732 47757 841034 47756->47757 47758 7bace0 42 API calls 47757->47758 47759 841049 47758->47759 47760 7a7cf0 42 API calls 47759->47760 47762 841061 47760->47762 47761->47749 47763 7d51eb std::_Throw_Cpp_error RaiseException 47762->47763 47763->47764 47765 7d8c60 std::_Throw_Cpp_error 40 API calls 47764->47765 47765->47766 47769 7a2cf0 std::_Throw_Cpp_error 42 API calls 47766->47769 47767->47749 47768->47749 47771 84108d 47769->47771 47770->47749 47774 7bace0 42 API calls 47771->47774 47772->47749 47773->47749 47775 8410a2 47774->47775 47777 7a7cf0 42 API calls 47775->47777 47776->47749 47778 8410ba 47777->47778 47780 7d51eb std::_Throw_Cpp_error RaiseException 47778->47780 47779->47749 47780->47781 47783 7a2cf0 std::_Throw_Cpp_error 42 API calls 47781->47783 47784 8410e2 47783->47784 47785 7bace0 42 API calls 47784->47785 47786 8410f7 47785->47786 47788 7a7cf0 42 API calls 47786->47788 47787->47749 47789 84110f 47788->47789 47790 7d51eb std::_Throw_Cpp_error RaiseException 47789->47790 47791 841123 47790->47791 47792->47749 47793->47749 47794->47749 47795->47749 47796->47749 47797->47749 47799->47749 47800->47749 47801->47749 47802->47749 47803->47749 47804->47749 47805->47749 47806->47749 47807->47749 47808->47749 47809->47749 47811->47749 47812->47749 47813->47749 47814->47749 47816->47749 47817->47749 47819->47749 47821 83aef6 47820->47821 47822 7b7ef0 42 API calls 47821->47822 47823 83af1f 47822->47823 47824 7b40c0 42 API calls 47823->47824 47825 83af49 47824->47825 47826 7baf80 42 API calls 47825->47826 47827 83afe4 __fread_nolock 47826->47827 47828 83b002 SHGetFolderPathA 47827->47828 47829 7bac50 42 API calls 47828->47829 47830 83b02f 47829->47830 47831 7bab20 42 API calls 47830->47831 47832 83b0d4 __fread_nolock 47831->47832 47833 83b0ee GetPrivateProfileSectionNamesA 47832->47833 47894 83b121 std::ios_base::_Ios_base_dtor __fread_nolock std::locale::_Locimp::_Locimp 47833->47894 47834 7e0f9e 50 API calls 47834->47894 47835 83ca51 lstrlen 47839 83ca67 47835->47839 47835->47894 47836 83b212 GetPrivateProfileStringA 47836->47894 47837 83cb88 47841 7d8c60 std::_Throw_Cpp_error 40 API calls 47837->47841 47838 7be8a0 42 API calls 47838->47894 47839->47732 47840 7babb0 42 API calls 47840->47894 47842 83cb92 47841->47842 47843 7a2cf0 std::_Throw_Cpp_error 42 API calls 47842->47843 47844 83cba9 47843->47844 47845 7bace0 42 API calls 47844->47845 47846 83cbbe 47845->47846 47847 7a7cf0 42 API calls 47846->47847 47848 83cbd6 47847->47848 47850 7d51eb std::_Throw_Cpp_error RaiseException 47848->47850 47849 7bab20 42 API calls 47849->47894 47851 83cbea 47850->47851 47852 7d9810 42 API calls 47852->47894 47853 7dd098 78 API calls 47853->47894 47854 7b7ef0 42 API calls 47854->47894 47855 7b40c0 42 API calls 47855->47894 47856 883880 45 API calls 47856->47894 47858 83cae0 47863 7a2cf0 std::_Throw_Cpp_error 42 API calls 47858->47863 47859 7a32d0 42 API calls std::_Throw_Cpp_error 47859->47894 47860 7b85d0 78 API calls 47860->47894 47861 7b80a0 42 API calls 47861->47894 47862 7b6130 42 API calls 47862->47894 47864 83caf7 47863->47864 47865 7bace0 42 API calls 47864->47865 47866 83cb0c 47865->47866 47868 7a7cf0 42 API calls 47866->47868 47867 873b40 150 API calls 47867->47894 47869 83cb24 47868->47869 47871 7d51eb std::_Throw_Cpp_error RaiseException 47869->47871 47870 8ae2b0 5 API calls 47870->47894 47871->47837 47872 83caa6 47876 7a2cf0 std::_Throw_Cpp_error 42 API calls 47872->47876 47873 8e8990 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection RtlFreeHeap GetLastError 47873->47894 47874 8739a0 89 API calls 47874->47894 47875 7a3040 42 API calls std::_Throw_Cpp_error 47875->47894 47879 83cab9 47876->47879 47877 8e81a0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection RtlFreeHeap GetLastError 47877->47894 47880 7bace0 42 API calls 47879->47880 47886 83c9a7 47880->47886 47881 7a7cf0 42 API calls 47881->47869 47882 83c97e 47883 7a2cf0 std::_Throw_Cpp_error 42 API calls 47882->47883 47884 83c992 47883->47884 47885 7bace0 42 API calls 47884->47885 47885->47886 47886->47881 47888 7c6db0 42 API calls 47888->47894 47889 7d3662 42 API calls std::_Facet_Register 47889->47894 47890 83cb34 47891 7a2cf0 std::_Throw_Cpp_error 42 API calls 47890->47891 47895 83cb47 47891->47895 47892 7b3d50 42 API calls 47892->47894 47893 7c4900 42 API calls 47893->47894 47894->47834 47894->47835 47894->47836 47894->47837 47894->47838 47894->47840 47894->47842 47894->47849 47894->47852 47894->47853 47894->47854 47894->47855 47894->47856 47894->47858 47894->47859 47894->47860 47894->47861 47894->47862 47894->47867 47894->47870 47894->47872 47894->47873 47894->47874 47894->47875 47894->47877 47894->47882 47894->47888 47894->47889 47894->47890 47894->47892 47894->47893 48143 7bc3a0 42 API calls std::_Facet_Register 47894->48143 48144 7c3f40 104 API calls 4 library calls 47894->48144 48145 8e82d0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection RtlFreeHeap GetLastError 47894->48145 47896 7bace0 42 API calls 47895->47896 47896->47886 47898 838ab6 47897->47898 47899 7b7ef0 42 API calls 47898->47899 47900 838adf 47899->47900 47901 7b40c0 42 API calls 47900->47901 47902 838b09 47901->47902 47903 7baf80 42 API calls 47902->47903 47904 838c48 __fread_nolock 47903->47904 47905 838c66 SHGetFolderPathA 47904->47905 47906 7bac50 42 API calls 47905->47906 47907 838c93 47906->47907 47908 7bab20 42 API calls 47907->47908 47909 838d47 __fread_nolock 47908->47909 47910 838d61 GetPrivateProfileSectionNamesA 47909->47910 47936 838d94 std::ios_base::_Ios_base_dtor __fread_nolock std::locale::_Locimp::_Locimp 47910->47936 47911 7e0f9e 50 API calls 47911->47936 47912 83ad4c lstrlen 47916 83ad62 47912->47916 47912->47936 47913 838e85 GetPrivateProfileStringA 47913->47936 47914 83ae49 47918 7d8c60 std::_Throw_Cpp_error 40 API calls 47914->47918 47915 7be8a0 42 API calls 47915->47936 47916->47732 47917 7babb0 42 API calls 47917->47936 47919 83ae53 47918->47919 48148 7b9e60 42 API calls 47919->48148 47921 83ae58 47923 7a2cf0 std::_Throw_Cpp_error 42 API calls 47921->47923 47922 7a3040 42 API calls std::_Throw_Cpp_error 47922->47936 47924 83ae6f 47923->47924 47925 7bace0 42 API calls 47924->47925 47926 83ae84 47925->47926 47927 7a7cf0 42 API calls 47926->47927 47929 83ae9c 47927->47929 47928 7bab20 42 API calls 47928->47936 47930 7d51eb std::_Throw_Cpp_error RaiseException 47929->47930 47932 83aeb0 47930->47932 47931 7d9810 42 API calls 47931->47936 47933 7dd098 78 API calls 47933->47936 47934 7b40c0 42 API calls 47934->47936 47935 883880 45 API calls 47935->47936 47936->47911 47936->47912 47936->47913 47936->47914 47936->47915 47936->47917 47936->47919 47936->47921 47936->47922 47936->47928 47936->47931 47936->47933 47936->47934 47936->47935 47938 83ada1 47936->47938 47939 7a32d0 42 API calls std::_Throw_Cpp_error 47936->47939 47940 7b85d0 78 API calls 47936->47940 47941 7b80a0 42 API calls 47936->47941 47943 7b6130 42 API calls 47936->47943 47947 873b40 150 API calls 47936->47947 47950 7baf80 42 API calls 47936->47950 47952 83abf3 47936->47952 47953 8739a0 89 API calls 47936->47953 47954 7b3d50 42 API calls 47936->47954 47961 7bfbf0 42 API calls 47936->47961 47962 7b8f00 std::_Throw_Cpp_error 42 API calls 47936->47962 47963 8ae2b0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection RtlFreeHeap GetLastError 47936->47963 47964 8e81a0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection RtlFreeHeap GetLastError 47936->47964 47965 7d3662 42 API calls std::_Facet_Register 47936->47965 47966 7b7ef0 42 API calls 47936->47966 47967 7c6db0 42 API calls 47936->47967 47968 7b63b0 std::_Throw_Cpp_error 42 API calls 47936->47968 47969 83adf5 47936->47969 47970 7c4900 42 API calls 47936->47970 47974 8e8990 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection RtlFreeHeap GetLastError 47936->47974 48146 7bc3a0 42 API calls std::_Facet_Register 47936->48146 48147 8e82d0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection RtlFreeHeap GetLastError 47936->48147 47942 7a2cf0 std::_Throw_Cpp_error 42 API calls 47938->47942 47939->47936 47940->47936 47941->47936 47944 83adb8 47942->47944 47943->47936 47945 7bace0 42 API calls 47944->47945 47946 83adcd 47945->47946 47948 7a7cf0 42 API calls 47946->47948 47947->47936 47949 83ade5 47948->47949 47951 7d51eb std::_Throw_Cpp_error RaiseException 47949->47951 47950->47936 47951->47914 47955 7a2cf0 std::_Throw_Cpp_error 42 API calls 47952->47955 47953->47936 47954->47936 47957 83ac06 47955->47957 47958 7bace0 42 API calls 47957->47958 47959 83ac1b 47958->47959 47960 7a7cf0 42 API calls 47959->47960 47960->47949 47961->47936 47962->47936 47963->47936 47964->47936 47965->47936 47966->47936 47967->47936 47968->47936 47971 7a2cf0 std::_Throw_Cpp_error 42 API calls 47969->47971 47970->47936 47972 83ae08 47971->47972 47973 7bace0 42 API calls 47972->47973 47973->47959 47974->47936 47976 836206 47975->47976 47977 7b7ef0 42 API calls 47976->47977 47978 83622f 47977->47978 47979 7b40c0 42 API calls 47978->47979 47980 836259 47979->47980 47981 7baf80 42 API calls 47980->47981 47982 8362f4 __fread_nolock 47981->47982 47983 836312 SHGetFolderPathA 47982->47983 47984 7bac50 42 API calls 47983->47984 47985 83633f 47984->47985 47986 7bab20 42 API calls 47985->47986 47987 8363e4 __fread_nolock 47986->47987 47988 8363fe GetPrivateProfileSectionNamesA 47987->47988 48037 836434 std::ios_base::_Ios_base_dtor __fread_nolock std::locale::_Locimp::_Locimp 47988->48037 47989 7e0f9e 50 API calls 47989->48037 47990 838930 lstrlen 47994 838949 47990->47994 47990->48037 47991 836525 GetPrivateProfileStringA 47991->48037 47992 838a17 47996 7d8c60 std::_Throw_Cpp_error 40 API calls 47992->47996 47993 7be8a0 42 API calls 47993->48037 47994->47732 47995 7babb0 42 API calls 47995->48037 47997 838a21 47996->47997 47998 7a2cf0 std::_Throw_Cpp_error 42 API calls 47997->47998 47999 838a35 47998->47999 48000 7bace0 42 API calls 47999->48000 48001 838a4a 48000->48001 48002 7a7cf0 42 API calls 48001->48002 48003 838a62 48002->48003 48005 7d51eb std::_Throw_Cpp_error RaiseException 48003->48005 48004 7bab20 42 API calls 48004->48037 48006 838a76 48005->48006 48007 7d9810 42 API calls 48007->48037 48008 7dd098 78 API calls 48008->48037 48009 7b40c0 42 API calls 48009->48037 48010 7a2fe0 40 API calls std::_Throw_Cpp_error 48010->48037 48011 7a32d0 42 API calls std::_Throw_Cpp_error 48011->48037 48012 883880 45 API calls 48012->48037 48014 838988 48017 7a2cf0 std::_Throw_Cpp_error 42 API calls 48014->48017 48015 7b85d0 78 API calls 48015->48037 48016 7b80a0 42 API calls 48016->48037 48019 83899f 48017->48019 48018 7b6130 42 API calls 48018->48037 48020 7bace0 42 API calls 48019->48020 48021 838862 48020->48021 48023 7a7cf0 42 API calls 48021->48023 48022 873b40 150 API calls 48022->48037 48024 838a03 48023->48024 48027 7d51eb std::_Throw_Cpp_error RaiseException 48024->48027 48025 8ae2b0 5 API calls 48025->48037 48026 7baf80 42 API calls 48026->48037 48027->47992 48028 8739a0 89 API calls 48028->48037 48029 83883a 48033 7a2cf0 std::_Throw_Cpp_error 42 API calls 48029->48033 48030 7b3d50 42 API calls 48030->48037 48031 7c4900 42 API calls 48031->48037 48034 83884d 48033->48034 48035 7bace0 42 API calls 48034->48035 48035->48021 48036 7d3662 42 API calls std::_Facet_Register 48036->48037 48037->47989 48037->47990 48037->47991 48037->47992 48037->47993 48037->47995 48037->47997 48037->48004 48037->48007 48037->48008 48037->48009 48037->48010 48037->48011 48037->48012 48037->48014 48037->48015 48037->48016 48037->48018 48037->48022 48037->48025 48037->48026 48037->48028 48037->48029 48037->48030 48037->48031 48037->48036 48038 7a3040 42 API calls std::_Throw_Cpp_error 48037->48038 48039 7c6db0 42 API calls 48037->48039 48040 8e81a0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection RtlFreeHeap GetLastError 48037->48040 48041 7e12e6 50 API calls 48037->48041 48043 8389c3 48037->48043 48044 7b7ef0 42 API calls 48037->48044 48048 8e8990 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection RtlFreeHeap GetLastError 48037->48048 48149 7bc3a0 42 API calls std::_Facet_Register 48037->48149 48150 7cc070 42 API calls 2 library calls 48037->48150 48151 8e82d0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection RtlFreeHeap GetLastError 48037->48151 48038->48037 48039->48037 48040->48037 48041->48037 48045 7a2cf0 std::_Throw_Cpp_error 42 API calls 48043->48045 48044->48037 48046 8389d6 48045->48046 48047 7bace0 42 API calls 48046->48047 48047->48021 48048->48037 48050 833f06 48049->48050 48051 7b7ef0 42 API calls 48050->48051 48052 833f2f 48051->48052 48053 7b40c0 42 API calls 48052->48053 48054 833f59 48053->48054 48055 7baf80 42 API calls 48054->48055 48056 833ff4 __fread_nolock 48055->48056 48057 834012 SHGetFolderPathA 48056->48057 48058 7bac50 42 API calls 48057->48058 48059 83403f 48058->48059 48060 7bab20 42 API calls 48059->48060 48061 8340e4 __fread_nolock 48060->48061 48062 8340fe GetPrivateProfileSectionNamesA 48061->48062 48089 834131 std::ios_base::_Ios_base_dtor __fread_nolock __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z std::locale::_Locimp::_Locimp 48062->48089 48063 7e0f9e 50 API calls 48063->48089 48064 83606e lstrlen 48068 836084 48064->48068 48064->48089 48065 834222 GetPrivateProfileStringA 48065->48089 48066 83616b 48069 7d8c60 std::_Throw_Cpp_error 40 API calls 48066->48069 48067 7be8a0 42 API calls 48067->48089 48068->47732 48071 836175 48069->48071 48070 7babb0 42 API calls 48070->48089 48072 7a2cf0 std::_Throw_Cpp_error 42 API calls 48071->48072 48073 83618c 48072->48073 48074 7bace0 42 API calls 48073->48074 48075 8361a1 48074->48075 48076 7a7cf0 42 API calls 48075->48076 48077 8361b9 48076->48077 48079 7d51eb std::_Throw_Cpp_error RaiseException 48077->48079 48078 7bab20 42 API calls 48078->48089 48080 8361cd 48079->48080 48081 7d9810 42 API calls 48081->48089 48082 7a3040 42 API calls std::_Throw_Cpp_error 48082->48089 48083 7dd098 78 API calls 48083->48089 48084 7b40c0 42 API calls 48084->48089 48085 883880 45 API calls 48085->48089 48087 8360c3 48092 7a2cf0 std::_Throw_Cpp_error 42 API calls 48087->48092 48088 7a32d0 42 API calls std::_Throw_Cpp_error 48088->48089 48089->48063 48089->48064 48089->48065 48089->48066 48089->48067 48089->48070 48089->48071 48089->48078 48089->48081 48089->48082 48089->48083 48089->48084 48089->48085 48089->48087 48089->48088 48090 7b85d0 78 API calls 48089->48090 48091 7b6130 42 API calls 48089->48091 48095 873b40 150 API calls 48089->48095 48099 7baf80 42 API calls 48089->48099 48100 8ae2b0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection RtlFreeHeap GetLastError 48089->48100 48102 8e8990 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection RtlFreeHeap GetLastError 48089->48102 48103 8739a0 89 API calls 48089->48103 48104 835f15 48089->48104 48108 8e81a0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection RtlFreeHeap GetLastError 48089->48108 48112 7bfbf0 42 API calls 48089->48112 48113 7b8f00 std::_Throw_Cpp_error 42 API calls 48089->48113 48114 7d3662 std::_Facet_Register 42 API calls 48089->48114 48115 7b7ef0 42 API calls 48089->48115 48116 7c6db0 42 API calls 48089->48116 48117 7e12e6 50 API calls 48089->48117 48118 7b80a0 42 API calls 48089->48118 48119 836117 48089->48119 48121 7b3d50 42 API calls 48089->48121 48122 7c4900 42 API calls 48089->48122 48152 7bc3a0 42 API calls std::_Facet_Register 48089->48152 48153 8e82d0 RtlAllocateHeap RtlEnterCriticalSection RtlLeaveCriticalSection RtlFreeHeap GetLastError 48089->48153 48090->48089 48091->48089 48093 8360da 48092->48093 48094 7bace0 42 API calls 48093->48094 48096 8360ef 48094->48096 48095->48089 48097 7a7cf0 42 API calls 48096->48097 48098 836107 48097->48098 48101 7d51eb std::_Throw_Cpp_error RaiseException 48098->48101 48099->48089 48100->48089 48101->48066 48102->48089 48103->48089 48106 7a2cf0 std::_Throw_Cpp_error 42 API calls 48104->48106 48107 835f28 48106->48107 48109 7bace0 42 API calls 48107->48109 48108->48089 48110 835f3d 48109->48110 48111 7a7cf0 42 API calls 48110->48111 48111->48098 48112->48089 48113->48089 48114->48089 48115->48089 48116->48089 48117->48089 48118->48089 48120 7a2cf0 std::_Throw_Cpp_error 42 API calls 48119->48120 48123 83612a 48120->48123 48121->48089 48122->48089 48124 7bace0 42 API calls 48123->48124 48124->48110 48126 7e0fad 48125->48126 48127 7e0ff5 48125->48127 48128 7e0fb3 48126->48128 48132 7e0fd0 48126->48132 48142 7e100b 50 API calls 2 library calls 48127->48142 48140 7d8c50 40 API calls ___std_exception_copy 48128->48140 48130 7e0fc3 48130->47749 48134 7e0fee 48132->48134 48141 7d8c50 40 API calls ___std_exception_copy 48132->48141 48134->47749 48135->47749 48137->47749 48138->47749 48139->47749 48140->48130 48141->48130 48142->48130 48143->47894 48144->47894 48145->47894 48146->47936 48147->47936 48149->48037 48150->48037 48151->48037 48152->48089 48153->48089 48163 7b9950 48164 7b9978 std::ios_base::_Ios_base_dtor 48163->48164 48165 7b9968 48163->48165 48165->48164 48166 7d8c60 std::_Throw_Cpp_error 40 API calls 48165->48166 48167 7b998d 48166->48167 48168 7b9a4f 48167->48168 48175 7d2b64 48167->48175 48172 7b99dd 48184 7bc430 76 API calls 4 library calls 48172->48184 48174 7b9a04 48176 7d2ae7 48175->48176 48179 7b99cc 48176->48179 48185 7d9805 48176->48185 48178 7d2b33 48178->48179 48180 7dd5e6 75 API calls 48178->48180 48179->48168 48183 7b83b0 40 API calls 48179->48183 48181 7d2b4e 48180->48181 48181->48179 48182 7dd098 78 API calls 48181->48182 48182->48179 48183->48172 48184->48174 48186 7d974e __fread_nolock 48185->48186 48187 7d9761 48186->48187 48188 7d9781 48186->48188 48194 7d8c50 40 API calls ___std_exception_copy 48187->48194 48190 7ea8e1 13 API calls 48188->48190 48191 7d9771 48188->48191 48192 7d979c 48190->48192 48191->48178 48192->48191 48195 7d97ee RtlLeaveCriticalSection __fread_nolock 48192->48195 48194->48191 48195->48191 48196 7c0ad0 48201 7c14a0 48196->48201 48198 7c0ae0 48199 7c9e20 42 API calls 48198->48199 48200 7c0b2a 48198->48200 48199->48200 48202 7c14cb 48201->48202 48203 7c14ee 48202->48203 48204 7c9e20 42 API calls 48202->48204 48203->48198 48205 7c150b 48204->48205 48205->48198 48206 7fe090 48253 7ab8e0 48206->48253 48208 7fe0f1 48209 7bab20 42 API calls 48208->48209 48210 7fe168 CreateDirectoryA 48209->48210 48213 7fe82d 48210->48213 48220 7fe19c 48210->48220 48211 7fe7f4 48212 7b63b0 std::_Throw_Cpp_error 42 API calls 48211->48212 48214 7fe808 48212->48214 48215 7fef7c 48213->48215 48216 7bab20 42 API calls 48213->48216 48729 87c3e0 48214->48729 48217 7fe8b1 CreateDirectoryA 48216->48217 48217->48215 48226 7fe8df 48217->48226 48219 7fe818 48219->48213 48222 883b20 95 API calls 48219->48222 48220->48211 48223 7b63b0 42 API calls std::_Throw_Cpp_error 48220->48223 48231 7fe30e CreateDirectoryA 48220->48231 48233 7bad80 42 API calls 48220->48233 48235 884050 88 API calls 48220->48235 48236 7fe401 CreateDirectoryA 48220->48236 48239 7a2cf0 std::_Throw_Cpp_error 42 API calls 48220->48239 48240 7bab20 42 API calls 48220->48240 48241 7bae20 42 API calls 48220->48241 48243 7fe4ee CreateDirectoryA 48220->48243 48249 7fe743 CreateDirectoryA 48220->48249 49520 7b6290 42 API calls 48220->49520 49521 87d2b0 48220->49521 48221 7fef43 48225 7b63b0 std::_Throw_Cpp_error 42 API calls 48221->48225 48222->48213 48223->48220 48224 7b63b0 42 API calls std::_Throw_Cpp_error 48224->48226 48227 7fef57 48225->48227 48226->48221 48226->48224 48232 7bad80 42 API calls 48226->48232 48234 7fea51 CreateDirectoryA 48226->48234 48237 884050 88 API calls 48226->48237 48238 7feb44 CreateDirectoryA 48226->48238 48242 7a2cf0 std::_Throw_Cpp_error 42 API calls 48226->48242 48245 7bab20 42 API calls 48226->48245 48246 7fec31 CreateDirectoryA 48226->48246 48247 7bae20 42 API calls 48226->48247 48251 7fee92 CreateDirectoryA 48226->48251 48252 87d2b0 205 API calls 48226->48252 49711 7b6290 42 API calls 48226->49711 48811 8749b0 48227->48811 48231->48220 48232->48226 48233->48220 48234->48226 48235->48220 48236->48220 48237->48226 48238->48226 48239->48220 48240->48220 48241->48220 48242->48226 48243->48220 48245->48226 48246->48226 48247->48226 48249->48220 48251->48226 48252->48226 48254 7ab916 48253->48254 48255 7bab20 42 API calls 48254->48255 48312 7abfd1 48254->48312 48256 7ab9e7 CreateDirectoryA 48255->48256 48259 7aba12 48256->48259 48256->48312 48257 7bab20 42 API calls 48260 7ac0ab CreateDirectoryA 48257->48260 48258 7b2270 48258->48208 48263 7bab20 42 API calls 48259->48263 48264 7ac0d6 48260->48264 48572 7af315 48260->48572 48261 7bab20 42 API calls 48265 7af43a CreateDirectoryA 48261->48265 48262 7bab20 42 API calls 48266 7b1e4d CreateDirectoryA 48262->48266 48267 7abab4 CreateDirectoryA 48263->48267 48268 7bab20 42 API calls 48264->48268 48269 7af465 48265->48269 48528 7b1d37 48265->48528 48266->48258 48270 7b1e78 48266->48270 48271 7abae2 __fread_nolock 48267->48271 48364 7abc28 48267->48364 48272 7ac178 CreateDirectoryA 48268->48272 48273 7bab20 42 API calls 48269->48273 48276 7bab20 42 API calls 48270->48276 48283 7abaf5 SHGetFolderPathA 48271->48283 48277 7ac1a0 48272->48277 48395 7ac4a7 48272->48395 48274 7af507 CreateDirectoryA 48273->48274 48279 7af52f 48274->48279 48403 7af853 48274->48403 48275 7bab20 42 API calls 48280 7abcea CreateDirectoryA 48275->48280 48281 7b1fa0 CreateDirectoryA 48276->48281 48278 7a2cf0 std::_Throw_Cpp_error 42 API calls 48277->48278 48284 7ac2be 48278->48284 48296 7a3040 std::_Throw_Cpp_error 42 API calls 48279->48296 48285 7abd12 __fread_nolock 48280->48285 48436 7abfad 48280->48436 48286 7b1fc8 48281->48286 48427 7b223a 48281->48427 48282 7bab20 42 API calls 48287 7ac557 CreateDirectoryA 48282->48287 48288 7a2cf0 std::_Throw_Cpp_error 42 API calls 48283->48288 48302 7bace0 42 API calls 48284->48302 48297 7abd25 SHGetFolderPathA 48285->48297 48307 7a3040 std::_Throw_Cpp_error 42 API calls 48286->48307 48291 7ac57f 48287->48291 48663 7ad1ae 48287->48663 48292 7abba1 48288->48292 48289 7bab20 42 API calls 48293 7af915 CreateDirectoryA 48289->48293 48290 883b20 95 API calls 48290->48258 48299 7a2cf0 std::_Throw_Cpp_error 42 API calls 48291->48299 48300 7bace0 42 API calls 48292->48300 48295 7af93d 48293->48295 48433 7afb75 48293->48433 48294 883b20 95 API calls 48294->48312 48301 7a2cf0 std::_Throw_Cpp_error 42 API calls 48295->48301 48303 7af704 48296->48303 48304 7a2cf0 std::_Throw_Cpp_error 42 API calls 48297->48304 48298 7bab20 42 API calls 48305 7ad27c CreateDirectoryA 48298->48305 48308 7ac727 48299->48308 48309 7abbb7 48300->48309 48310 7afa5b 48301->48310 48311 7ac367 48302->48311 48324 7bace0 42 API calls 48303->48324 48313 7abe57 48304->48313 48314 7ad2a4 48305->48314 48501 7ad62a 48305->48501 48306 7bab20 42 API calls 48315 7afc37 CreateDirectoryA 48306->48315 48316 7b211c 48307->48316 48320 7bace0 42 API calls 48308->48320 48321 884050 88 API calls 48309->48321 48329 7bace0 42 API calls 48310->48329 48332 7a2cf0 std::_Throw_Cpp_error 42 API calls 48311->48332 48312->48257 48312->48572 48318 7bace0 42 API calls 48313->48318 48334 7a2cf0 std::_Throw_Cpp_error 42 API calls 48314->48334 48319 7afc5f 48315->48319 48468 7afe11 48315->48468 48336 7bace0 42 API calls 48316->48336 48317 7bab20 42 API calls 48323 7ad6da CreateDirectoryA 48317->48323 48325 7abe6d 48318->48325 48326 7a2cf0 std::_Throw_Cpp_error 42 API calls 48319->48326 48327 7ac7d0 48320->48327 48328 7abbe2 48321->48328 48322 7bab20 42 API calls 48330 7afed3 CreateDirectoryA 48322->48330 48331 7ad702 48323->48331 48508 7ada09 48323->48508 48333 7af7b1 48324->48333 48347 7a2cf0 std::_Throw_Cpp_error 42 API calls 48325->48347 48335 7afcf7 48326->48335 48360 7a2cf0 std::_Throw_Cpp_error 42 API calls 48327->48360 48338 7abc21 48328->48338 48350 7b63b0 std::_Throw_Cpp_error 42 API calls 48328->48350 48339 7afb04 48329->48339 48340 7afefb 48330->48340 48502 7b0e44 48330->48502 48341 7a2cf0 std::_Throw_Cpp_error 42 API calls 48331->48341 48342 7ac39b 48332->48342 48343 7af7d6 48333->48343 48346 7a2fe0 std::_Throw_Cpp_error 40 API calls 48333->48346 48344 7ad3bb 48334->48344 48356 7bace0 42 API calls 48335->48356 48345 7b21c9 48336->48345 48337 7bab20 42 API calls 48349 7adab9 CreateDirectoryA 48337->48349 48354 883b20 95 API calls 48338->48354 48338->48364 48368 884050 88 API calls 48339->48368 48351 7a2cf0 std::_Throw_Cpp_error 42 API calls 48340->48351 48352 7ad820 48341->48352 48353 884120 78 API calls 48342->48353 48348 884050 88 API calls 48343->48348 48377 7bace0 42 API calls 48344->48377 48367 884050 88 API calls 48345->48367 48346->48343 48357 7abea1 48347->48357 48358 7af80d 48348->48358 48359 7adae1 48349->48359 48536 7ade6e 48349->48536 48361 7abbfa 48350->48361 48362 7aff97 48351->48362 48391 7bace0 42 API calls 48352->48391 48363 7ac3a8 48353->48363 48354->48364 48355 7bab20 42 API calls 48365 7b0ef4 CreateDirectoryA 48355->48365 48366 7afda0 48356->48366 48369 884120 78 API calls 48357->48369 48371 7af84c 48358->48371 48385 7b63b0 std::_Throw_Cpp_error 42 API calls 48358->48385 48372 7a2cf0 std::_Throw_Cpp_error 42 API calls 48359->48372 48373 7ac804 48360->48373 48374 7b63b0 std::_Throw_Cpp_error 42 API calls 48361->48374 48404 7bace0 42 API calls 48362->48404 48375 7ac49b 48363->48375 48392 7bab20 42 API calls 48363->48392 48364->48275 48376 7b0f1c 48365->48376 48571 7b1833 48365->48571 48407 884050 88 API calls 48366->48407 48380 7b21f4 48367->48380 48382 7afb2f 48368->48382 48383 7abeae 48369->48383 48370 7bab20 42 API calls 48384 7adf1e CreateDirectoryA 48370->48384 48390 883b20 95 API calls 48371->48390 48371->48403 48386 7adc85 48372->48386 48388 884120 78 API calls 48373->48388 48389 7abc12 48374->48389 48381 883b20 95 API calls 48375->48381 48378 7a2cf0 std::_Throw_Cpp_error 42 API calls 48376->48378 48379 7ad464 48377->48379 48393 7b0fb9 48378->48393 48424 7a2cf0 std::_Throw_Cpp_error 42 API calls 48379->48424 48394 7b2233 48380->48394 48408 7b63b0 std::_Throw_Cpp_error 42 API calls 48380->48408 48381->48395 48396 7afb6e 48382->48396 48410 7b63b0 std::_Throw_Cpp_error 42 API calls 48382->48410 48397 7abfa1 48383->48397 48411 7bab20 42 API calls 48383->48411 48398 7adf46 48384->48398 48587 7ae629 48384->48587 48399 7af825 48385->48399 48434 7bace0 42 API calls 48386->48434 48387 7bab20 42 API calls 48400 7b18e6 CreateDirectoryA 48387->48400 48401 7ac811 48388->48401 48402 87d2b0 205 API calls 48389->48402 48390->48403 48405 7ad8c9 48391->48405 48406 7ac451 48392->48406 48439 7bace0 42 API calls 48393->48439 48409 883b20 95 API calls 48394->48409 48394->48427 48395->48282 48415 883b20 95 API calls 48396->48415 48396->48433 48418 883b20 95 API calls 48397->48418 48412 7a2cf0 std::_Throw_Cpp_error 42 API calls 48398->48412 48414 7b63b0 std::_Throw_Cpp_error 42 API calls 48399->48414 48416 7b190e 48400->48416 48574 7b1d13 48400->48574 48417 7ac98c 48401->48417 48435 7bab20 42 API calls 48401->48435 48402->48338 48403->48289 48419 7b0040 48404->48419 48437 7a2cf0 std::_Throw_Cpp_error 42 API calls 48405->48437 48420 7ac462 CopyFileA 48406->48420 48421 7ac460 48406->48421 48425 7afdcb 48407->48425 48426 7b220c 48408->48426 48409->48427 48428 7afb47 48410->48428 48429 7abf57 48411->48429 48430 7adfe3 48412->48430 48413 7bab20 42 API calls 48431 7ae6dc CreateDirectoryA 48413->48431 48432 7af83d 48414->48432 48415->48433 48461 7a3040 std::_Throw_Cpp_error 42 API calls 48416->48461 48423 7a2cf0 std::_Throw_Cpp_error 42 API calls 48417->48423 48418->48436 48464 884050 88 API calls 48419->48464 48422 7ac491 48420->48422 48421->48420 48422->48375 48452 7ac495 48422->48452 48438 7acb30 48423->48438 48440 7ad498 48424->48440 48441 7afe0a 48425->48441 48455 7b63b0 std::_Throw_Cpp_error 42 API calls 48425->48455 48442 7b63b0 std::_Throw_Cpp_error 42 API calls 48426->48442 48427->48258 48427->48290 48443 7b63b0 std::_Throw_Cpp_error 42 API calls 48428->48443 48444 7abf68 CopyFileA 48429->48444 48445 7abf66 48429->48445 48474 7bace0 42 API calls 48430->48474 48446 7ae704 48431->48446 48543 7af2eb 48431->48543 48447 87d2b0 205 API calls 48432->48447 48433->48306 48448 7add2e 48434->48448 48449 7ac940 48435->48449 48436->48294 48436->48312 48451 7ad8fd 48437->48451 48478 7bace0 42 API calls 48438->48478 48453 7b1062 48439->48453 48454 884120 78 API calls 48440->48454 48457 883b20 95 API calls 48441->48457 48441->48468 48456 7b2224 48442->48456 48458 7afb5f 48443->48458 48459 7abf97 48444->48459 48445->48444 48460 7a2cf0 std::_Throw_Cpp_error 42 API calls 48446->48460 48447->48371 48484 7a2cf0 std::_Throw_Cpp_error 42 API calls 48448->48484 48462 7ac94f 48449->48462 48463 7ac951 CopyFileA 48449->48463 48450 883b20 95 API calls 48450->48528 48465 884120 78 API calls 48451->48465 48452->48395 48491 7b63b0 std::_Throw_Cpp_error 42 API calls 48453->48491 48471 7ad4a5 48454->48471 48466 7afde3 48455->48466 48467 87d2b0 205 API calls 48456->48467 48457->48468 48473 87d2b0 205 API calls 48458->48473 48459->48397 48482 7abf9b 48459->48482 48476 7b19dc 48461->48476 48462->48463 48469 7ac980 48463->48469 48470 7b006b 48464->48470 48477 7ad90a 48465->48477 48480 7b63b0 std::_Throw_Cpp_error 42 API calls 48466->48480 48467->48394 48468->48322 48469->48417 48489 7bab20 42 API calls 48470->48489 48728 7b0de7 48470->48728 48479 7ad61e 48471->48479 48492 7bab20 42 API calls 48471->48492 48472 883b20 95 API calls 48472->48572 48473->48396 48481 7ae08c 48474->48481 48504 7bace0 42 API calls 48476->48504 48485 7ad9fd 48477->48485 48496 7bab20 42 API calls 48477->48496 48490 7acbd9 48478->48490 48493 883b20 95 API calls 48479->48493 48486 7afdfb 48480->48486 48482->48436 48488 7add62 48484->48488 48500 883b20 95 API calls 48485->48500 48499 87d2b0 205 API calls 48486->48499 48487 883b20 95 API calls 48487->48502 48503 884120 78 API calls 48488->48503 48495 7b0111 48489->48495 48521 7a2cf0 std::_Throw_Cpp_error 42 API calls 48490->48521 48497 7b1088 48491->48497 48498 7ad5d4 48492->48498 48493->48501 48510 884050 88 API calls 48495->48510 48507 7ad9b3 48496->48507 48512 7ad5e3 48498->48512 48513 7ad5e5 CopyFileA 48498->48513 48499->48441 48500->48508 48501->48317 48502->48355 48508->48337 48512->48513 48522 7ad614 48513->48522 48529 7acc0d 48521->48529 48522->48479 48539 7ad618 48522->48539 48528->48258 48528->48262 48537 884120 78 API calls 48529->48537 48536->48370 48539->48501 48543->48472 48543->48572 48571->48387 48572->48261 48572->48528 48574->48450 48574->48528 48587->48413 48663->48298 48728->48487 48728->48502 48730 7d59a0 __fread_nolock 48729->48730 48731 87c438 SHGetFolderPathA 48730->48731 48732 87c500 48731->48732 48732->48732 48733 7a3040 std::_Throw_Cpp_error 42 API calls 48732->48733 48734 87c51c 48733->48734 48735 7bfbf0 42 API calls 48734->48735 48736 87c54d 48735->48736 48737 87c5c0 std::ios_base::_Ios_base_dtor 48736->48737 48739 87d289 48736->48739 48738 884050 88 API calls 48737->48738 48740 87c5f5 48738->48740 48741 7d8c60 std::_Throw_Cpp_error 40 API calls 48739->48741 48743 7bab20 42 API calls 48740->48743 48747 87d1b0 48740->48747 48741->48747 48742 87d24b std::ios_base::_Ios_base_dtor 48742->48219 48744 87c698 48743->48744 48745 884050 88 API calls 48744->48745 48746 87c6b8 48745->48746 48747->48742 48748 7d8c60 std::_Throw_Cpp_error 40 API calls 48747->48748 48750 87d2a2 48748->48750 48812 8749e6 __fread_nolock 48811->48812 48813 874a04 SHGetFolderPathA 48812->48813 48814 7d59a0 __fread_nolock 48813->48814 48815 874a31 SHGetFolderPathA 48814->48815 48816 874b78 48815->48816 48816->48816 48817 7a3040 std::_Throw_Cpp_error 42 API calls 48816->48817 48818 874b94 48817->48818 48819 7bace0 42 API calls 48818->48819 48821 874bb0 std::ios_base::_Ios_base_dtor 48819->48821 48820 884050 88 API calls 48822 874c25 48820->48822 48821->48820 49517 87b742 48821->49517 48823 7d8c60 std::_Throw_Cpp_error 40 API calls 49517->48823 49519 87b790 std::ios_base::_Ios_base_dtor 49517->49519 49520->48220 49522 7bab20 42 API calls 49521->49522 49524 87d40f 49522->49524 49523 87d4a2 FindFirstFileA 49531 87d93f std::ios_base::_Ios_base_dtor 49523->49531 49582 87d4cf std::locale::_Locimp::_Locimp 49523->49582 49525 87da6c 49524->49525 49526 87d44f std::ios_base::_Ios_base_dtor 49524->49526 49527 7d8c60 std::_Throw_Cpp_error 40 API calls 49525->49527 49526->49523 49529 87da71 49527->49529 49528 87d914 FindNextFileA 49530 87d92b FindClose GetLastError 49528->49530 49528->49582 49532 7d8c60 std::_Throw_Cpp_error 40 API calls 49529->49532 49530->49531 49531->49529 49534 87da20 std::ios_base::_Ios_base_dtor 49531->49534 49533 87da7b 49532->49533 49536 7bab20 42 API calls 49533->49536 49534->48220 49535 7b8f00 42 API calls std::_Throw_Cpp_error 49535->49582 49537 87dbea 49536->49537 49538 7d9810 42 API calls 49537->49538 49539 87dc98 49538->49539 49710 8818ce std::ios_base::_Ios_base_dtor 49539->49710 49853 884590 GetCurrentProcess IsWow64Process 49539->49853 49540 7b63b0 std::_Throw_Cpp_error 42 API calls 49543 881958 49540->49543 49542 7be8a0 42 API calls 49542->49582 49545 8849f0 89 API calls 49543->49545 49547 881967 49545->49547 49546 7a3350 76 API calls 49548 87dd74 49546->49548 49920 882950 MultiByteToWideChar 49547->49920 49550 7a3350 76 API calls 49548->49550 49552 87de1e 49550->49552 49563 87d8ef CopyFileA 49565 87d950 GetLastError 49563->49565 49563->49582 49565->49531 49566 884050 88 API calls 49566->49582 49568 87d77d CreateDirectoryA 49568->49565 49568->49582 49576 7a32d0 42 API calls std::_Throw_Cpp_error 49576->49582 49580 87d2b0 155 API calls 49580->49582 49582->49528 49582->49529 49582->49531 49582->49535 49582->49542 49582->49563 49582->49566 49582->49568 49582->49576 49582->49580 49710->49540 49711->48226 49854 87dcb0 49853->49854 49854->49546 49921 882a9a 49920->49921 49991 801c30 49992 801c80 49991->49992 49993 7bab20 42 API calls 49992->49993 49994 801d54 49993->49994 49995 884050 88 API calls 49994->49995 49996 801d7a 49995->49996 49997 883fc0 87 API calls 49996->49997 49998 801d9d 49996->49998 49997->49998 49999 7bb260 42 API calls 49998->49999 50001 8027de 49998->50001 50002 8027b0 49998->50002 50033 801dcd 49999->50033 50000 883b20 95 API calls 50000->50001 50003 7bab20 42 API calls 50001->50003 50002->50000 50002->50001 50004 8028c3 50003->50004 50005 884050 88 API calls 50004->50005 50006 8028e9 50005->50006 50007 883fc0 87 API calls 50006->50007 50008 80290c 50006->50008 50007->50008 50009 7bb260 42 API calls 50008->50009 50012 803349 50008->50012 50013 80331f 50008->50013 50038 80293c 50009->50038 50010 883b20 95 API calls 50010->50012 50011 7b30f0 42 API calls 50011->50033 50013->50010 50013->50012 50014 7b3200 42 API calls 50014->50033 50015 7bb260 42 API calls 50015->50033 50016 7b63b0 42 API calls std::_Throw_Cpp_error 50016->50033 50017 7b3200 42 API calls 50017->50038 50018 7bb260 42 API calls 50018->50038 50019 7bac50 42 API calls 50019->50033 50020 884050 88 API calls 50020->50033 50021 7b63b0 42 API calls std::_Throw_Cpp_error 50021->50038 50023 7bac50 42 API calls 50023->50038 50024 7d9810 42 API calls 50024->50033 50025 7b6240 42 API calls 50025->50038 50026 883fc0 87 API calls 50026->50033 50027 7bae20 42 API calls 50027->50033 50028 7babb0 42 API calls 50028->50033 50030 7b6240 42 API calls 50030->50033 50031 7dd098 78 API calls 50031->50033 50032 884050 88 API calls 50032->50038 50033->50002 50033->50011 50033->50014 50033->50015 50033->50016 50033->50019 50033->50020 50033->50024 50033->50026 50033->50027 50033->50028 50033->50030 50033->50031 50037 7a2cf0 42 API calls std::_Throw_Cpp_error 50033->50037 50042 7baf80 42 API calls 50033->50042 50044 7a3350 76 API calls 50033->50044 50045 7bb400 42 API calls 50033->50045 50049 7b6210 42 API calls std::_Throw_Cpp_error 50033->50049 50034 7d9810 42 API calls 50034->50038 50035 883fc0 87 API calls 50035->50038 50036 7bae20 42 API calls 50036->50038 50037->50033 50038->50013 50038->50017 50038->50018 50038->50021 50038->50023 50038->50025 50038->50032 50038->50034 50038->50035 50038->50036 50039 7babb0 42 API calls 50038->50039 50040 7b30f0 42 API calls 50038->50040 50041 7dd098 78 API calls 50038->50041 50043 7a2cf0 42 API calls std::_Throw_Cpp_error 50038->50043 50046 7bb400 42 API calls 50038->50046 50047 7a3350 76 API calls 50038->50047 50048 7baf80 42 API calls 50038->50048 50050 7b6210 42 API calls std::_Throw_Cpp_error 50038->50050 50039->50038 50040->50038 50041->50038 50042->50033 50043->50038 50044->50033 50045->50033 50046->50038 50047->50038 50048->50038 50049->50033 50050->50038 50117 864eb0 50118 86527c 50117->50118 50128 864eee std::ios_base::_Ios_base_dtor __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 50117->50128 50119 864f37 setsockopt recv WSAGetLastError 50119->50118 50119->50128 50121 8651c5 recv 50124 86525f Sleep 50121->50124 50123 865267 Sleep 50123->50118 50123->50128 50124->50123 50125 7b8dc0 42 API calls 50126 864fdd recv 50125->50126 50127 864ffe recv 50126->50127 50126->50128 50127->50128 50128->50119 50128->50121 50128->50123 50128->50124 50128->50125 50129 7a9280 45 API calls 50128->50129 50130 865291 50128->50130 50131 7b63b0 std::_Throw_Cpp_error 42 API calls 50128->50131 50132 865086 setsockopt recv 50128->50132 50133 7b8dc0 42 API calls 50128->50133 50137 865940 WSAStartup 50128->50137 50150 8652a0 50128->50150 50209 7d3059 50128->50209 50129->50128 50134 7d8c60 std::_Throw_Cpp_error 40 API calls 50130->50134 50131->50128 50132->50128 50133->50132 50135 865296 50134->50135 50138 865a46 50137->50138 50139 865978 50137->50139 50138->50128 50139->50138 50140 8659ae getaddrinfo 50139->50140 50141 865a40 WSACleanup 50140->50141 50143 8659f6 50140->50143 50141->50138 50142 865a54 FreeAddrInfoW 50142->50141 50144 865a60 50142->50144 50143->50142 50145 865a04 socket 50143->50145 50144->50128 50145->50141 50146 865a1a connect 50145->50146 50147 865a50 50146->50147 50148 865a2c closesocket 50146->50148 50147->50142 50148->50145 50149 865a36 FreeAddrInfoW 50148->50149 50149->50141 50151 8652ee 50150->50151 50152 86531c 50150->50152 50153 7a2cf0 std::_Throw_Cpp_error 42 API calls 50151->50153 50154 865324 50152->50154 50155 86533e 50152->50155 50156 865300 50153->50156 50212 7b6290 42 API calls 50154->50212 50158 865346 50155->50158 50159 865360 50155->50159 50162 7a9280 45 API calls 50156->50162 50213 7b6290 42 API calls 50158->50213 50160 865385 50159->50160 50161 865368 50159->50161 50164 86538d 50160->50164 50167 8653ab 50160->50167 50190 865314 50161->50190 50214 7b6290 42 API calls 50161->50214 50162->50190 50215 7e12a7 50 API calls ___std_exception_copy 50164->50215 50168 865670 50167->50168 50169 8653cb 50167->50169 50167->50190 50170 8656cb 50168->50170 50171 865678 50168->50171 50216 7a5400 87 API calls std::_Throw_Cpp_error 50169->50216 50174 865726 50170->50174 50175 8656d3 50170->50175 50173 7bb430 53 API calls 50171->50173 50173->50190 50177 865781 50174->50177 50178 86572e 50174->50178 50176 7bb430 53 API calls 50175->50176 50176->50190 50179 8657dc 50177->50179 50180 865789 50177->50180 50181 7bb430 53 API calls 50178->50181 50184 865834 50179->50184 50185 8657e4 50179->50185 50183 7bb430 53 API calls 50180->50183 50181->50190 50182 7a2cf0 std::_Throw_Cpp_error 42 API calls 50191 8653f0 50182->50191 50183->50190 50188 7f8af0 52 API calls 50184->50188 50184->50190 50187 7bb430 53 API calls 50185->50187 50186 7d2b9a RtlReleaseSRWLockExclusive 50186->50190 50187->50190 50188->50190 50189 7bace0 42 API calls 50189->50191 50190->50128 50191->50182 50191->50189 50192 8654bb 50191->50192 50205 865629 50191->50205 50217 7a2d30 42 API calls std::_Throw_Cpp_error 50192->50217 50194 8654df 50218 873670 44 API calls 5 library calls 50194->50218 50196 8654f0 50197 865562 GetCurrentProcess 50196->50197 50201 865595 50196->50201 50198 7b63b0 std::_Throw_Cpp_error 42 API calls 50197->50198 50199 86557e 50198->50199 50219 86c630 61 API calls 3 library calls 50199->50219 50202 7d9810 42 API calls 50201->50202 50204 8655f7 50202->50204 50203 86558d 50203->50205 50204->50205 50206 7e1618 75 API calls 50204->50206 50205->50186 50207 865623 50206->50207 50208 7dd098 78 API calls 50207->50208 50208->50205 50220 7d360d 50209->50220 50212->50190 50213->50190 50214->50190 50215->50190 50216->50191 50217->50194 50218->50196 50219->50203 50221 7d363d GetSystemTimePreciseAsFileTime 50220->50221 50222 7d3649 GetSystemTimeAsFileTime 50220->50222 50223 7d3067 50221->50223 50222->50223 50223->50128 50225 8e0330 50226 8e0344 50225->50226 50228 8e04f6 50226->50228 50229 8e03f2 50226->50229 50235 8e0a10 5 API calls __fread_nolock 50226->50235 50229->50228 50231 8e0d70 50229->50231 50232 8e0d7b 50231->50232 50233 8e7470 3 API calls 50232->50233 50234 8e0d85 50232->50234 50233->50234 50234->50228 50235->50229 50438 7ff280 50439 7ff2cd 50438->50439 50443 7ff2ec 50438->50443 50440 7b63b0 std::_Throw_Cpp_error 42 API calls 50439->50440 50441 7ff2df 50440->50441 50444 831a60 50441->50444 50445 7d59a0 __fread_nolock 50444->50445 50446 831ab5 SHGetFolderPathA 50445->50446 50447 831c20 50446->50447 50447->50447 50448 7a3040 std::_Throw_Cpp_error 42 API calls 50447->50448 50449 831c3c 50448->50449 50450 7bfbf0 42 API calls 50449->50450 50453 831c6d std::ios_base::_Ios_base_dtor 50450->50453 50451 884050 88 API calls 50456 831d2d 50451->50456 50452 833299 50454 7d8c60 std::_Throw_Cpp_error 40 API calls 50452->50454 50453->50451 50453->50452 50455 83329e 50454->50455 50458 7b7ef0 42 API calls 50455->50458 50456->50455 50457 83324d 50456->50457 50459 7be8a0 42 API calls 50456->50459 50457->50443 50460 8332fd 50458->50460 50461 831e13 50459->50461 50462 7b40c0 42 API calls 50460->50462 50463 884050 88 API calls 50461->50463 50464 833328 50462->50464 50465 831e34 50463->50465 50466 8333dc 50464->50466 50467 7b7ef0 42 API calls 50464->50467 50465->50457 50470 7bab20 42 API calls 50465->50470 50468 8333f7 50466->50468 50469 833e1d 50466->50469 50467->50466 50474 7a3040 std::_Throw_Cpp_error 42 API calls 50468->50474 50472 7a2cf0 std::_Throw_Cpp_error 42 API calls 50469->50472 50471 831f64 50470->50471 50473 7d9810 42 API calls 50471->50473 50475 833e30 50472->50475 50476 831f80 50473->50476 50477 83343d 50474->50477 50478 7bace0 42 API calls 50475->50478 50482 831f9e 50476->50482 50483 831f98 50476->50483 50479 7c6db0 42 API calls 50477->50479 50480 833e45 50478->50480 50488 833456 std::ios_base::_Ios_base_dtor 50479->50488 50481 7a7cf0 42 API calls 50480->50481 50484 833e5d 50481->50484 50486 7bab20 42 API calls 50482->50486 50485 7dd098 78 API calls 50483->50485 50489 7d51eb std::_Throw_Cpp_error RaiseException 50484->50489 50485->50482 50491 83205c FindFirstFileA 50486->50491 50487 833e71 50492 7d8c60 std::_Throw_Cpp_error 40 API calls 50487->50492 50488->50487 50490 833503 CredEnumerateA 50488->50490 50489->50487 50493 833df9 50490->50493 50526 83352b std::ios_base::_Ios_base_dtor 50490->50526 50494 8324a2 50491->50494 50527 832090 std::ios_base::_Ios_base_dtor 50491->50527 50495 833e76 50492->50495 50493->50443 50500 83320e 50494->50500 50501 7bab20 42 API calls 50494->50501 50505 7a2cf0 std::_Throw_Cpp_error 42 API calls 50495->50505 50496 833d57 50496->50493 50498 833d61 GetPEB 50496->50498 50497 832484 FindNextFileA 50499 83249b FindClose 50497->50499 50497->50527 50499->50494 50506 7b85d0 78 API calls 50500->50506 50502 83254f CreateDirectoryA 50501->50502 50502->50500 50504 83257d 50502->50504 50503 7bab20 42 API calls 50503->50527 50510 83324a 50506->50510 50510->50457 50513 7b8f00 std::_Throw_Cpp_error 42 API calls 50513->50527 50519 7babb0 42 API calls 50519->50527 50520 7b7ef0 42 API calls 50520->50526 50526->50487 50526->50495 50526->50496 50526->50520 50530 7b8dc0 42 API calls 50526->50530 50537 7a3040 std::_Throw_Cpp_error 42 API calls 50526->50537 50539 7c6db0 42 API calls 50526->50539 50542 7cc070 42 API calls 50526->50542 50548 7d3662 std::_Facet_Register 42 API calls 50526->50548 50549 7b63b0 std::_Throw_Cpp_error 42 API calls 50526->50549 50550 7baf80 42 API calls 50526->50550 50558 7bcf80 42 API calls 2 library calls 50526->50558 50559 7b36c0 42 API calls std::_Throw_Cpp_error 50526->50559 50527->50452 50527->50497 50527->50503 50527->50513 50527->50519 50531 7d9810 42 API calls 50527->50531 50540 7dd098 78 API calls 50527->50540 50543 7a3040 std::_Throw_Cpp_error 42 API calls 50527->50543 50545 7c42a0 42 API calls 50527->50545 50530->50526 50531->50527 50537->50526 50539->50526 50540->50527 50542->50526 50543->50527 50545->50527 50548->50526 50549->50526 50550->50526 50558->50526 50559->50526

                                                                                                                                      Executed Functions

                                                                                                                                      Function 00847D20 Relevance: 350.8, APIs: 10, Strings: 179, Instructions: 20001COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?), ref: 00847D97
                                                                                                                                        • Part of subcall function 008633B0: FindFirstFileA.KERNELBASE(00000000,?), ref: 008634EF
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileFindFirstFolderPath
                                                                                                                                      • String ID: R~u$cannot use operator[] with a string argument with $cannot use push_back() with $v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
                                                                                                                                      • API String ID: 2195519125-797077965
                                                                                                                                      • Opcode ID: e545b65548829ecc5b41a2d640c60ad57a7ad667bee75db5a910f7de9bd3429d
                                                                                                                                      • Instruction ID: b4911530d38d0b8aa4ebc17c9b23489bf0ba1ce4687b320b2a1cd04fd80e2fb5
                                                                                                                                      • Opcode Fuzzy Hash: e545b65548829ecc5b41a2d640c60ad57a7ad667bee75db5a910f7de9bd3429d
                                                                                                                                      • Instruction Fuzzy Hash: F2B4FEB0D052698BDB25CF68C984BEDBBB5BF49304F1082D9D849B7242DB746B84CF91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0083CBF0 Relevance: 172.9, APIs: 6, Strings: 91, Instructions: 3171stringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?), ref: 0083CD44
                                                                                                                                      • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0083CE42
                                                                                                                                      • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 0083D035
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 0083F796
                                                                                                                                        • Part of subcall function 00884050: GetFileAttributesA.KERNELBASE ref: 008840AC
                                                                                                                                        • Part of subcall function 00884050: GetLastError.KERNEL32 ref: 008840B7
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,00000000), ref: 0083FA7D
                                                                                                                                      • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00840FAE
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateDirectoryPrivateProfile$AttributesErrorFileFolderLastNamesPathSectionStringlstrlen
                                                                                                                                      • String ID: XO4$cannot use operator[] with a string argument with $cannot use push_back() with $v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
                                                                                                                                      • API String ID: 2833034228-769388876
                                                                                                                                      • Opcode ID: b663b842af808f9cb4669c1b1aad7699098b245e6dd333e57b85b8f688322540
                                                                                                                                      • Instruction ID: 06c8b4da8151c25a644974470329e5bc323313245fba1d24b37b63e5729c45b8
                                                                                                                                      • Opcode Fuzzy Hash: b663b842af808f9cb4669c1b1aad7699098b245e6dd333e57b85b8f688322540
                                                                                                                                      • Instruction Fuzzy Hash: 8693BBB4D052A88ADB65CF28C995BEDBBB5AF49304F0082DAD949B7241DB742FC4CF41
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0087D2B0 Relevance: 114.2, APIs: 50, Strings: 13, Instructions: 3939registrytimefileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • FindFirstFileA.KERNEL32(00000000,?), ref: 0087D4BB
                                                                                                                                      • CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,?,?,00902B0C,00000001,0000002E,0000002F,?,008F83D1,3"{,008F83D1), ref: 0087D78B
                                                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0087D906
                                                                                                                                      • FindNextFileA.KERNEL32(00000000,?), ref: 0087D91C
                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 0087D92C
                                                                                                                                      • GetLastError.KERNEL32 ref: 0087D932
                                                                                                                                      • GetLastError.KERNEL32 ref: 0087D950
                                                                                                                                        • Part of subcall function 00884590: GetCurrentProcess.KERNEL32(0087DCB0), ref: 0088459F
                                                                                                                                        • Part of subcall function 00884590: IsWow64Process.KERNEL32(00000000), ref: 008845A6
                                                                                                                                        • Part of subcall function 007E195B: GetSystemTimeAsFileTime.KERNEL32(0087DE28,00000000,00000000,?,?,?,0087DE28,00000000), ref: 007E1970
                                                                                                                                        • Part of subcall function 007E195B: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007E198F
                                                                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,?,?,?,?), ref: 0087E0E1
                                                                                                                                      • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?), ref: 0087E1AD
                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 0087E1E2
                                                                                                                                      • GetCurrentHwProfileA.ADVAPI32(?), ref: 0087E37A
                                                                                                                                      • GetModuleHandleExA.KERNEL32(00000004,00883370,?,?,?,?,?,?,?,?,00000000), ref: 0087E87B
                                                                                                                                      • GetModuleFileNameA.KERNEL32(?,?,00000104,?,?,?,?,?,?,?,00000000), ref: 0087E893
                                                                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,?,?), ref: 0087F246
                                                                                                                                      • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?), ref: 0087F312
                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 0087F591
                                                                                                                                      • GetComputerNameA.KERNEL32(?,?), ref: 0087F5C5
                                                                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 0087F763
                                                                                                                                      • GetDesktopWindow.USER32 ref: 0087F806
                                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 0087F814
                                                                                                                                      • GetUserDefaultLocaleName.KERNEL32(?,00000200), ref: 0087F97F
                                                                                                                                      • GetKeyboardLayoutList.USER32(00000000,00000000), ref: 0087FE45
                                                                                                                                      • LocalAlloc.KERNEL32(00000040), ref: 0087FE57
                                                                                                                                      • GetKeyboardLayoutList.USER32(?,00000000), ref: 0087FE72
                                                                                                                                      • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 0087FE9D
                                                                                                                                      • LocalFree.KERNEL32(?), ref: 00880060
                                                                                                                                      • GetLocalTime.KERNEL32(?), ref: 00880077
                                                                                                                                      • GetSystemTime.KERNEL32(?), ref: 0088028D
                                                                                                                                      • GetTimeZoneInformation.KERNELBASE(?), ref: 008802B0
                                                                                                                                      • TzSpecificLocalTimeToSystemTime.KERNELBASE(?,?,?), ref: 008802D5
                                                                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?), ref: 008806EF
                                                                                                                                      • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,?), ref: 00880841
                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 008808F2
                                                                                                                                      • GetSystemInfo.KERNELBASE(?), ref: 0088091A
                                                                                                                                      • GlobalMemoryStatusEx.KERNELBASE(?), ref: 008809CD
                                                                                                                                      • EnumDisplayDevicesA.USER32(00000000,00000000,?,00000001), ref: 00880AE1
                                                                                                                                      • EnumDisplayDevicesA.USER32(00000000,00000001,?,00000001), ref: 00880EC4
                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00881003
                                                                                                                                      • Process32First.KERNEL32(00000000,?), ref: 0088101B
                                                                                                                                      • Process32Next.KERNEL32(00000000,?), ref: 00881031
                                                                                                                                      • Process32Next.KERNEL32(00000000,?), ref: 00881103
                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00881112
                                                                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?), ref: 00881486
                                                                                                                                      • RegEnumKeyExA.KERNELBASE(?,00000000,?,?), ref: 008814BD
                                                                                                                                      • wsprintfA.USER32 ref: 008815A0
                                                                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020019,?), ref: 008815C3
                                                                                                                                      • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400), ref: 008816C2
                                                                                                                                      • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400), ref: 008817B9
                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00881895
                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 008818B0
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CloseTime$FileOpenQueryValue$LocalNameSystem$EnumFindNextProcess32$CreateCurrentDevicesDisplayErrorFirstHandleInfoKeyboardLastLayoutListLocaleModuleProcessUserWindow$AllocComputerCopyDefaultDesktopDirectoryFreeGlobalInformationMemoryProfileRectSnapshotSpecificStatusToolhelp32Unothrow_t@std@@@Wow64Zone__ehfuncinfo$??2@wsprintf
                                                                                                                                      • String ID: 1.9$3"{$nikto$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$|<Ea
                                                                                                                                      • API String ID: 3185416054-850726101
                                                                                                                                      • Opcode ID: 06acbe5f1df3d908bfec5ece11389cc9c7e972b1d2d9473c163f07d421858555
                                                                                                                                      • Instruction ID: 30f5baa3e060fea63688ffb20a7f4093df8ad4d42d2e265e6709d4deb27ace62
                                                                                                                                      • Opcode Fuzzy Hash: 06acbe5f1df3d908bfec5ece11389cc9c7e972b1d2d9473c163f07d421858555
                                                                                                                                      • Instruction Fuzzy Hash: A3B3EFB4D0426DCBDB25CF98C985AEEBBB4BF48300F104199E948B7341DB746A85CFA5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 007AB8E0 Relevance: 102.1, APIs: 40, Strings: 15, Instructions: 5855fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 007ABA08
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 007ABAD2
                                                                                                                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 007ABF80
                                                                                                                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 007AC47A
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 007AC575
                                                                                                                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 007AC969
                                                                                                                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 007ACD72
                                                                                                                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 007AD17B
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 007AD29A
                                                                                                                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 007AD5FD
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 007AD6F8
                                                                                                                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 007AD9DC
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 007ADAD7
                                                                                                                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 007ADE41
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 007ADF3C
                                                                                                                                      • CopyFileA.KERNEL32(?,?,00000000), ref: 007AE55A
                                                                                                                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 007AECF6
                                                                                                                                      • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 007AEEEA
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 007AF45B
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 007AF525
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 007AFEF1
                                                                                                                                      • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 007B01ED
                                                                                                                                      • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 007B0580
                                                                                                                                      • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 007B088D
                                                                                                                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 007B0DC4
                                                                                                                                      • CopyFileA.KERNEL32(?,?,00000000), ref: 007B173C
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 007B1904
                                                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 007B1CD7
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 007B1E6E
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 007B1FBE
                                                                                                                                      • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 007B0B14
                                                                                                                                        • Part of subcall function 0087D2B0: CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,?,?,00902B0C,00000001,0000002E,0000002F,?,008F83D1,3"{,008F83D1), ref: 0087D78B
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 007B0F12
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 007AFC55
                                                                                                                                        • Part of subcall function 0087D2B0: FindFirstFileA.KERNEL32(00000000,?), ref: 0087D4BB
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 007AF933
                                                                                                                                        • Part of subcall function 00884050: std::_Throw_Cpp_error.LIBCPMT ref: 008840FF
                                                                                                                                        • Part of subcall function 00884050: std::_Throw_Cpp_error.LIBCPMT ref: 00884110
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 007AE6FA
                                                                                                                                        • Part of subcall function 008633B0: FindFirstFileA.KERNELBASE(00000000,?), ref: 008634EF
                                                                                                                                        • Part of subcall function 007C9070: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 007C910D
                                                                                                                                        • Part of subcall function 007C9070: ___std_fs_convert_narrow_to_wide@20.LIBCPMT ref: 007C9155
                                                                                                                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 007ABB07
                                                                                                                                        • Part of subcall function 00884050: GetFileAttributesA.KERNELBASE ref: 008840AC
                                                                                                                                        • Part of subcall function 00884050: GetLastError.KERNEL32 ref: 008840B7
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 007ABD08
                                                                                                                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 007ABD37
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 007AC0CC
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 007AC196
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateDirectory$File$Copy$Cpp_errorFindFirstFolderPathThrow____std_fs_convert_narrow_to_wide@20std::_$AttributesErrorLast
                                                                                                                                      • String ID: v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
                                                                                                                                      • API String ID: 3985928759-2632615832
                                                                                                                                      • Opcode ID: d5d0a39d30cc1ff87160334bb4627f45d52181905ad0fc5ce0134e19d74eb9d6
                                                                                                                                      • Instruction ID: 4ed92c29d0a8698f8176cae2ed0a71380bceb088e1968607f65ff9c92b918509
                                                                                                                                      • Opcode Fuzzy Hash: d5d0a39d30cc1ff87160334bb4627f45d52181905ad0fc5ce0134e19d74eb9d6
                                                                                                                                      • Instruction Fuzzy Hash: D2F3DFB4D0425DCBDB25CFA8C985AEEBBB0BF49300F104199D859B7341EB742A85CFA5
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00831A60 Relevance: 77.2, APIs: 12, Strings: 31, Instructions: 1966fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00831AC7
                                                                                                                                        • Part of subcall function 00884050: GetFileAttributesA.KERNELBASE ref: 008840AC
                                                                                                                                        • Part of subcall function 00884050: GetLastError.KERNEL32 ref: 008840B7
                                                                                                                                      • FindFirstFileA.KERNEL32(?,?), ref: 0083207F
                                                                                                                                      • FindNextFileA.KERNEL32(00000000,?), ref: 0083248C
                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 0083249C
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 00832573
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 00832639
                                                                                                                                      • CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 008327BD
                                                                                                                                        • Part of subcall function 00884050: std::_Throw_Cpp_error.LIBCPMT ref: 008840FF
                                                                                                                                        • Part of subcall function 00884050: std::_Throw_Cpp_error.LIBCPMT ref: 00884110
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 00832964
                                                                                                                                      • CopyFileA.KERNEL32(00000000,?,00000000), ref: 00832C18
                                                                                                                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 00833158
                                                                                                                                      • CredEnumerateA.ADVAPI32(00000000,00000001,00000000,?,?,?,?,?,?), ref: 0083351D
                                                                                                                                      • LocalFree.KERNELBASE(?), ref: 00833DF7
                                                                                                                                        • Part of subcall function 007D51EB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,18EC83FF,0080A937,?,007D1CF9,?,009169D8,0080A937,?,0080A937,-0000001C), ref: 007D524B
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File$CopyCreateDirectoryFind$Cpp_errorThrow_std::_$AttributesCloseCredEnumerateErrorExceptionFirstFolderFreeLastLocalNextPathRaise
                                                                                                                                      • String ID: cannot use operator[] with a string argument with $v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
                                                                                                                                      • API String ID: 3528249430-249588351
                                                                                                                                      • Opcode ID: 9273e051131d7b294b76f1a789a47f84778887a2b98418029f946db547dcb86c
                                                                                                                                      • Instruction ID: 9c9cfe6f26a3cf82dac41e68686ffa3c554067adf5e644abc3613eabff8f25a5
                                                                                                                                      • Opcode Fuzzy Hash: 9273e051131d7b294b76f1a789a47f84778887a2b98418029f946db547dcb86c
                                                                                                                                      • Instruction Fuzzy Hash: 5E33ECB4D042A98BDB65CF68C895BEDBBB0BF49300F1082D9D858B7341EB746A85CF51
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 008361D0 Relevance: 73.9, APIs: 4, Strings: 37, Instructions: 2129stringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00836324
                                                                                                                                      • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00836422
                                                                                                                                      • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 00836618
                                                                                                                                      • lstrlen.KERNEL32(?), ref: 00838931
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                                                                                                                                      • String ID: XO4$cannot use operator[] with a string argument with $cannot use push_back() with $v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
                                                                                                                                      • API String ID: 1311570089-1359732929
                                                                                                                                      • Opcode ID: fcae389ce93a88c346f46ae1c7e3768fa24369c6ba1fe0f563532558bd35b688
                                                                                                                                      • Instruction ID: cc814da3c89464c5d97326fad07b88a05856d66a2e3f1e500b3c4577dc743323
                                                                                                                                      • Opcode Fuzzy Hash: fcae389ce93a88c346f46ae1c7e3768fa24369c6ba1fe0f563532558bd35b688
                                                                                                                                      • Instruction Fuzzy Hash: 084301B0D052688BDB65CF28C894BEDBBB5BF49304F1082D9E449B7242DB756B84CF91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 008749B0 Relevance: 64.1, APIs: 31, Strings: 2, Instructions: 6337fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,008F80C7,000000FF), ref: 00874A1C
                                                                                                                                      • SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00874A43
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 00874D09
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 0087506B
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?), ref: 00875712
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 008759D3
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008761A7
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0087658D
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00876D42
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 00877003
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 008776CE
                                                                                                                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 0087779F
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 00877AC2
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 00877E2D
                                                                                                                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 00877EFE
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 008781E9
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000,?,?,?), ref: 00878479
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 0087862C
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 00878906
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 00878CEC
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?), ref: 008790A1
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 00879254
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 0087952E
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 00879914
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 00877363
                                                                                                                                        • Part of subcall function 0087D2B0: CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0087D906
                                                                                                                                        • Part of subcall function 0087D2B0: GetLastError.KERNEL32 ref: 0087D950
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?), ref: 008769F8
                                                                                                                                        • Part of subcall function 0087D2B0: FindNextFileA.KERNEL32(00000000,?), ref: 0087D91C
                                                                                                                                        • Part of subcall function 0087D2B0: FindClose.KERNEL32(00000000), ref: 0087D92C
                                                                                                                                        • Part of subcall function 0087D2B0: GetLastError.KERNEL32 ref: 0087D932
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?), ref: 00875D1A
                                                                                                                                        • Part of subcall function 0087D2B0: CreateDirectoryA.KERNEL32(00000000,00000000,0000002E,0000002F,?,?,?,?,00902B0C,00000001,0000002E,0000002F,?,008F83D1,3"{,008F83D1), ref: 0087D78B
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00875ECD
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 008753CB
                                                                                                                                        • Part of subcall function 0087D2B0: FindFirstFileA.KERNEL32(00000000,?), ref: 0087D4BB
                                                                                                                                        • Part of subcall function 00884050: GetFileAttributesA.KERNELBASE ref: 008840AC
                                                                                                                                        • Part of subcall function 00884050: GetLastError.KERNEL32 ref: 008840B7
                                                                                                                                        • Part of subcall function 00884050: std::_Throw_Cpp_error.LIBCPMT ref: 008840FF
                                                                                                                                        • Part of subcall function 00884050: std::_Throw_Cpp_error.LIBCPMT ref: 00884110
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 00879D4C
                                                                                                                                      • CopyFileA.KERNEL32(?,00000000,00000000), ref: 00879EA3
                                                                                                                                        • Part of subcall function 0087B7E0: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0087B84D
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateDirectory$File$Copy$ErrorFindFolderLastPath$Cpp_errorThrow_std::_$AttributesCloseFirstNext
                                                                                                                                      • String ID: v<Ea$v<Ea
                                                                                                                                      • API String ID: 901091077-2190929436
                                                                                                                                      • Opcode ID: fe986636787d62fca5343ce109c980506b5e80469cfe76d1ca352d55efd7c260
                                                                                                                                      • Instruction ID: f83ebbe098512d53aaaa1b6b6c2c91f2b3866ca991b704fe687ef42d78e65ae3
                                                                                                                                      • Opcode Fuzzy Hash: fe986636787d62fca5343ce109c980506b5e80469cfe76d1ca352d55efd7c260
                                                                                                                                      • Instruction Fuzzy Hash: 78F3F1B4D04259CBDB15CFA8C995AEEBBB0BF49300F244199D949B7341E7706B84CFA2
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00838A80 Relevance: 59.6, APIs: 4, Strings: 29, Instructions: 1876stringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?), ref: 00838C78
                                                                                                                                      • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00838D85
                                                                                                                                      • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 00838F78
                                                                                                                                      • lstrlen.KERNEL32(?), ref: 0083AD4D
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                                                                                                                                      • String ID: cannot use operator[] with a string argument with $cannot use push_back() with $v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
                                                                                                                                      • API String ID: 1311570089-2661975114
                                                                                                                                      • Opcode ID: 49841492a5e8327a235d8611b56c7320e89c47d426bb0f85e62d16c59f7860ce
                                                                                                                                      • Instruction ID: 59ffe55d302956a06e0df8dbb801adaab6b5548e1eededf15887697db02a58b3
                                                                                                                                      • Opcode Fuzzy Hash: 49841492a5e8327a235d8611b56c7320e89c47d426bb0f85e62d16c59f7860ce
                                                                                                                                      • Instruction Fuzzy Hash: BD23FFB0D052688BDB65CF28C8947EDBBB5BF49304F1082D9E849B7241EB746B85CF91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00833ED0 Relevance: 56.0, APIs: 5, Strings: 26, Instructions: 1775stringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00834024
                                                                                                                                      • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 00834122
                                                                                                                                      • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 00834315
                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00835B98
                                                                                                                                      • lstrlen.KERNEL32(?), ref: 0083606F
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: PrivateProfile$FolderNamesPathSectionStringUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
                                                                                                                                      • String ID: cannot use operator[] with a string argument with $cannot use push_back() with $v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
                                                                                                                                      • API String ID: 3203477177-515590595
                                                                                                                                      • Opcode ID: ac398fd56f8cc040d46f63e392a5d92e10c373cff2457239929836ba750334e0
                                                                                                                                      • Instruction ID: 18a4005e7198bd7b7c7816e7fb337a6d138b693f70fc7d33342cf41559051086
                                                                                                                                      • Opcode Fuzzy Hash: ac398fd56f8cc040d46f63e392a5d92e10c373cff2457239929836ba750334e0
                                                                                                                                      • Instruction Fuzzy Hash: 8C23FFB4D052688BDB65CF28C884BEDBBB5BF49304F1082D9E849A7241EB746F84CF55
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0083AEC0 Relevance: 55.8, APIs: 4, Strings: 27, Instructions: 1570stringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?), ref: 0083B014
                                                                                                                                      • GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0083B112
                                                                                                                                      • GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 0083B305
                                                                                                                                      • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0083CA52
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: PrivateProfile$FolderNamesPathSectionStringlstrlen
                                                                                                                                      • String ID: cannot use operator[] with a string argument with $cannot use push_back() with $v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
                                                                                                                                      • API String ID: 1311570089-1931402353
                                                                                                                                      • Opcode ID: d56ec6f73a6fc13046d7fec11e1929462feaa19688bf5f89028df46de1e4318f
                                                                                                                                      • Instruction ID: 0f46d87236823b1e4c63122a7d286c0a42bd63f4b20d94228c685326de303bce
                                                                                                                                      • Opcode Fuzzy Hash: d56ec6f73a6fc13046d7fec11e1929462feaa19688bf5f89028df46de1e4318f
                                                                                                                                      • Instruction Fuzzy Hash: 8C0302B0D052688BDB25CF28C895BEDBBB4BF59304F1082D9D849B7241EB706B85CF91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00883B20 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 305COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 14721 883b20-883b73 call 7d2b89 14724 883b79-883b83 14721->14724 14725 883f95-883f97 call 7d2524 14721->14725 14726 883b89-883bd2 14724->14726 14727 883f9c-883fa8 call 7d2524 14724->14727 14725->14727 14729 883bd8-883ca1 call 7be8a0 call 7a2df0 FindFirstFileA 14726->14729 14730 883fad-883fb2 call 7a2c60 call 7d8c60 14726->14730 14727->14730 14744 883eda 14729->14744 14745 883ca7 14729->14745 14739 883fb7-883fbf call 7d8c60 14730->14739 14747 883edc-883ee6 14744->14747 14746 883cb0-883cb9 14745->14746 14748 883cc0-883cc5 14746->14748 14749 883ee8-883ef4 14747->14749 14750 883f14-883f30 14747->14750 14748->14748 14753 883cc7-883d19 14748->14753 14754 883f0a-883f11 call 7d38e3 14749->14754 14755 883ef6-883f04 14749->14755 14751 883f5a-883f94 call 7d2b9a 14750->14751 14752 883f32-883f3e 14750->14752 14757 883f50-883f57 call 7d38e3 14752->14757 14758 883f40-883f4e 14752->14758 14753->14730 14766 883d1f-883d51 call 7be8a0 14753->14766 14754->14750 14755->14739 14755->14754 14757->14751 14758->14739 14758->14757 14770 883d54-883d59 14766->14770 14770->14770 14771 883d5b-883e09 call 7b8f00 call 7a2df0 * 3 14770->14771 14780 883e29-883e42 SetFileAttributesA 14771->14780 14781 883e0b-883e12 call 883b20 14771->14781 14783 883e48-883e5c DeleteFileA 14780->14783 14784 883ed0-883ed8 GetLastError 14780->14784 14781->14780 14783->14784 14785 883e5e-883e71 FindNextFileA 14783->14785 14784->14747 14785->14746 14786 883e77-883e8b FindClose GetLastError 14785->14786 14786->14747 14787 883e8d-883e93 14786->14787 14788 883e95 14787->14788 14789 883e97-883ea5 SetFileAttributesA 14787->14789 14788->14789 14790 883eb2-883eb6 14789->14790 14791 883ea7-883eb0 14789->14791 14792 883eb8 14790->14792 14793 883eba-883ec3 RemoveDirectoryA 14790->14793 14791->14747 14792->14793 14793->14744 14795 883ec5-883ece 14793->14795 14795->14747
                                                                                                                                      APIs
                                                                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 00883F97
                                                                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 00883FA8
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Cpp_errorThrow_std::_
                                                                                                                                      • String ID: \*.*
                                                                                                                                      • API String ID: 2134207285-1173974218
                                                                                                                                      • Opcode ID: 741cfcc26fee64edf99d5643ac44bebe6cc4d96010def741d4867c5f2e57ceb5
                                                                                                                                      • Instruction ID: 980c9103e518fdf037a98cbd3983ce0db2db96443121d08122e1e6f86c580e89
                                                                                                                                      • Opcode Fuzzy Hash: 741cfcc26fee64edf99d5643ac44bebe6cc4d96010def741d4867c5f2e57ceb5
                                                                                                                                      • Instruction Fuzzy Hash: 44D1D070D00248DFDB10EFA8C948BEDBBB1FF55314F204259E459BB292DB745A89CB91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 0087C3E0 Relevance: 13.1, APIs: 5, Strings: 2, Instructions: 876COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 14884 87c3e0-87c4fd call 7d59a0 SHGetFolderPathA 14887 87c500-87c505 14884->14887 14887->14887 14888 87c507-87c529 call 7a3040 14887->14888 14891 87c530-87c535 14888->14891 14891->14891 14892 87c537-87c599 call 7bfbf0 14891->14892 14895 87c59b-87c5aa 14892->14895 14896 87c5ca-87c5f7 call 884050 14892->14896 14897 87c5c0-87c5c7 call 7d38e3 14895->14897 14898 87c5ac-87c5ba 14895->14898 14905 87c5fd-87c6c0 call 7bab20 call 884050 14896->14905 14906 87d21b-87d22b 14896->14906 14897->14896 14898->14897 14900 87d289 call 7d8c60 14898->14900 14907 87d28e call 7a2c60 14900->14907 14925 87c6e3-87c773 14905->14925 14926 87c6c2-87c6dd CreateDirectoryA 14905->14926 14908 87d255-87d288 call 7a2df0 14906->14908 14909 87d22d-87d239 14906->14909 14917 87d293 call 7a2c60 14907->14917 14912 87d24b-87d252 call 7d38e3 14909->14912 14913 87d23b-87d249 14909->14913 14912->14908 14913->14912 14918 87d29d-87d2a2 call 7d8c60 14913->14918 14927 87d298 call 7a2c60 14917->14927 14930 87c776-87c77b 14925->14930 14926->14925 14929 87d209 14926->14929 14927->14918 14932 87d20c-87d216 call 7a2df0 14929->14932 14930->14930 14933 87c77d-87c78d 14930->14933 14932->14906 14933->14907 14935 87c793-87c7fb call 7be8a0 call 884050 call 7a2df0 14933->14935 14942 87c801-87c8c1 call 7bab20 call 884050 14935->14942 14943 87ca0e-87ca9e 14935->14943 14952 87c8e4-87c9b3 call 7b63b0 call 7bab20 call 87d2b0 14942->14952 14953 87c8c3-87c8de CreateDirectoryA 14942->14953 14944 87caa1-87caa6 14943->14944 14944->14944 14946 87caa8-87cab3 14944->14946 14946->14917 14949 87cab9-87cb1b call 7be8a0 call 884050 call 7a2df0 14946->14949 14966 87cd32-87ce4b 14949->14966 14967 87cb21-87cbe1 call 7bab20 call 884050 14949->14967 14972 87c9b5-87c9bb 14952->14972 14973 87c9bd-87c9fa call 7a2cf0 call 883b20 call 7a2df0 14952->14973 14953->14952 14955 87c9ff-87ca09 call 7a2df0 14953->14955 14955->14943 14968 87ce50-87ce55 14966->14968 14981 87cbe3-87cc02 CreateDirectoryA 14967->14981 14982 87cc08-87ccd7 call 7b63b0 call 7bab20 call 87d2b0 14967->14982 14968->14968 14971 87ce57-87ce60 14968->14971 14971->14927 14976 87ce66-87cec8 call 7be8a0 call 884050 call 7a2df0 14971->14976 14972->14955 14973->14955 14976->14932 14998 87cece-87d014 call 7bab20 call 884050 14976->14998 14981->14982 14985 87cd23-87cd2d call 7a2df0 14981->14985 15001 87cce1-87cd1e call 7a2cf0 call 883b20 call 7a2df0 14982->15001 15002 87ccd9-87ccdf 14982->15002 14985->14966 15008 87d016-87d035 CreateDirectoryA 14998->15008 15009 87d03b-87d1ae call 7b63b0 call 7bab20 call 87d2b0 14998->15009 15001->14985 15002->14985 15008->15009 15011 87d1fa-87d204 call 7a2df0 15008->15011 15021 87d1b0-87d1b6 15009->15021 15022 87d1b8-87d1f5 call 7a2cf0 call 883b20 call 7a2df0 15009->15022 15011->14929 15021->15011 15022->15011
                                                                                                                                      APIs
                                                                                                                                      • SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0087C44A
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 0087C6D9
                                                                                                                                        • Part of subcall function 00884050: GetFileAttributesA.KERNELBASE ref: 008840AC
                                                                                                                                        • Part of subcall function 00884050: GetLastError.KERNEL32 ref: 008840B7
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 0087C8DA
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 0087CBFA
                                                                                                                                        • Part of subcall function 00884050: std::_Throw_Cpp_error.LIBCPMT ref: 008840FF
                                                                                                                                        • Part of subcall function 00884050: std::_Throw_Cpp_error.LIBCPMT ref: 00884110
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 0087D02D
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateDirectory$Cpp_errorThrow_std::_$AttributesErrorFileFolderLastPath
                                                                                                                                      • String ID: v<Ea$v<Ea
                                                                                                                                      • API String ID: 3108237365-2190929436
                                                                                                                                      • Opcode ID: 825dd2c5c0ccf78a915ae6d47e9fcc962528d0c5d84ff90eeef2b1c9e20e3e14
                                                                                                                                      • Instruction ID: b085a2eff73d2c44d331215f1fd43941579a143336eaee6d34c8ad1c9b48e055
                                                                                                                                      • Opcode Fuzzy Hash: 825dd2c5c0ccf78a915ae6d47e9fcc962528d0c5d84ff90eeef2b1c9e20e3e14
                                                                                                                                      • Instruction Fuzzy Hash: 54A2EEB4D0425DCBDB15CFA8C985AEEBBB0BF09300F204199D959B7341E7706A85CFA1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00864130 Relevance: 12.8, APIs: 3, Strings: 4, Instructions: 535fileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 15166 864130-86418c 15167 8643b4-8643c8 call 7d39a3 15166->15167 15168 864192-8641a1 call 7d2b89 15166->15168 15167->15168 15173 8643ce-8643fa call 7a8710 call 7d38ce call 7d3952 15167->15173 15174 8641a7-8641b1 15168->15174 15175 8643ff-864401 call 7d2524 15168->15175 15173->15168 15178 864406-86455d call 7d2524 call 7bae80 call 7b63b0 call 884870 DeleteFileA call 7d59a0 call 7d5260 call 7d59a0 call 7d5260 call 7d59a0 call 7d5260 15174->15178 15179 8641b7-8642af call 8877d0 call 7bab20 call 7bad80 call 7a9280 call 7a2df0 15174->15179 15175->15178 15236 864570-864575 call 7b8dc0 15178->15236 15237 86455f-864566 15178->15237 15206 864365-8643b3 call 7b63b0 call 7d2b9a call 7a2df0 * 2 15179->15206 15207 8642b5-8642bc 15179->15207 15207->15206 15210 8642c2-8642ce GetPEB 15207->15210 15213 8642d0-8642e4 15210->15213 15216 8642e6-8642eb 15213->15216 15217 864337-864339 15213->15217 15216->15217 15220 8642ed-8642f3 15216->15220 15217->15213 15223 8642f5-86430a 15220->15223 15226 86430c 15223->15226 15227 86432d-864335 15223->15227 15230 864310-864323 15226->15230 15227->15217 15227->15223 15230->15230 15231 864325-86432b 15230->15231 15231->15227 15234 86433b-86435f 15231->15234 15234->15206 15234->15210 15242 86457a-864581 15236->15242 15238 86456a-86456e 15237->15238 15239 864568 15237->15239 15238->15242 15239->15238 15243 864585-864599 15242->15243 15244 864583 15242->15244 15245 86459d-8645b4 15243->15245 15246 86459b 15243->15246 15244->15243 15247 8645b6 15245->15247 15248 8645b8-8645d4 15245->15248 15246->15245 15247->15248 15249 8645d6 15248->15249 15250 8645d8-8645df 15248->15250 15249->15250 15251 8645e3-86469f call 7d5260 call 8877d0 15250->15251 15252 8645e1 15250->15252 15257 8646a2-8646a7 15251->15257 15252->15251 15257->15257 15258 8646a9-8646f7 call 7a3040 call 7a9280 call 8877d0 15257->15258 15265 8646fd-8647c3 call 7a8f20 call 8877d0 15258->15265 15266 8646f9 15258->15266 15271 8647c6-8647cb 15265->15271 15266->15265 15271->15271 15272 8647cd-8647e8 call 7a3040 call 7a9280 15271->15272 15276 8647ed-8647fc 15272->15276 15277 8647fe-864805 15276->15277 15278 86481d-864826 15276->15278 15277->15278 15279 864807-864814 15277->15279 15280 864846-864873 call 7a2df0 * 2 15278->15280 15281 864828-86482f 15278->15281 15279->15278 15288 864816-864818 15279->15288 15281->15280 15282 864831-86483d 15281->15282 15282->15280 15289 86483f-864841 15282->15289 15288->15278 15289->15280
                                                                                                                                      APIs
                                                                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 00864401
                                                                                                                                        • Part of subcall function 007D2524: __EH_prolog3.LIBCMT ref: 007D2560
                                                                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 00864412
                                                                                                                                        • Part of subcall function 00884870: __fread_nolock.LIBCMT ref: 008849B9
                                                                                                                                      • DeleteFileA.KERNELBASE(?), ref: 0086449B
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Cpp_errorThrow_std::_$DeleteFileH_prolog3__fread_nolock
                                                                                                                                      • String ID: 131$nikto$v<Ea$v<Ea
                                                                                                                                      • API String ID: 3880692912-2124456754
                                                                                                                                      • Opcode ID: 92674b9793ad300e5f187f318bf378b7b61a21378470c6ba872ba56ce1bb00cd
                                                                                                                                      • Instruction ID: ce89147273b3eb32e58ae19d5b846df54c150eaf0364027571a43868e3f859b1
                                                                                                                                      • Opcode Fuzzy Hash: 92674b9793ad300e5f187f318bf378b7b61a21378470c6ba872ba56ce1bb00cd
                                                                                                                                      • Instruction Fuzzy Hash: BA32CDB0D00248CFCB14DFA8D845BAEBBB1FF49304F248159E815AB392D775AE45CB92
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 008633B0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310fileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 15291 8633b0-863420 15292 863422 15291->15292 15293 86343a-8634e3 call 7bab20 15291->15293 15295 863424-863430 call 7a2df0 15292->15295 15298 8634e7-86350c FindFirstFileA call 7a2df0 15293->15298 15299 8634e5 15293->15299 15302 863432-863437 15295->15302 15304 863512-863516 15298->15304 15305 863813-86383d call 7a2df0 15298->15305 15299->15298 15302->15293 15306 863527-86352e 15304->15306 15307 863518-86351f 15304->15307 15309 8637e7-8637f7 FindNextFileA 15306->15309 15312 863534-86353d 15306->15312 15307->15309 15310 863525 15307->15310 15309->15304 15313 8637fd-863806 GetLastError 15309->15313 15310->15312 15314 863540-863545 15312->15314 15313->15304 15315 86380c-86380d FindClose 15313->15315 15314->15314 15316 863547-863552 15314->15316 15315->15305 15317 863554-863557 15316->15317 15318 86355d-863560 15316->15318 15317->15309 15317->15318 15319 863562-863565 15318->15319 15320 863573-863577 15318->15320 15319->15320 15321 863567-86356d 15319->15321 15322 863735-863767 call 7a3040 15320->15322 15323 86357d-863645 call 7bab20 15320->15323 15321->15309 15321->15320 15329 863793-86379a call 7c42a0 15322->15329 15330 863769-863791 15322->15330 15328 863648-86364d 15323->15328 15328->15328 15331 86364f-86369f call 7b8f00 15328->15331 15335 86379f 15329->15335 15332 8637a2-8637a9 15330->15332 15343 8636c2-8636ce call 7c42a0 15331->15343 15344 8636a1-8636c0 15331->15344 15336 8637d5-8637e3 15332->15336 15337 8637ab-8637b9 15332->15337 15335->15332 15336->15309 15338 8637cb-8637d2 call 7d38e3 15337->15338 15339 8637bb-8637c9 15337->15339 15338->15336 15339->15338 15341 86383e-863843 call 7d8c60 15339->15341 15346 8636d1-8636de 15343->15346 15344->15346 15351 8636e0-8636ec 15346->15351 15352 86370c-863730 call 7a2df0 15346->15352 15353 863702-863709 call 7d38e3 15351->15353 15354 8636ee-8636fc 15351->15354 15352->15309 15353->15352 15354->15341 15354->15353
                                                                                                                                      APIs
                                                                                                                                      • FindFirstFileA.KERNELBASE(00000000,?), ref: 008634EF
                                                                                                                                      • FindNextFileA.KERNELBASE(00000000,?), ref: 008637EF
                                                                                                                                      • GetLastError.KERNEL32 ref: 008637FD
                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 0086380D
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Find$File$CloseErrorFirstLastNext
                                                                                                                                      • String ID: v<Ea$v<Ea$v<Ea
                                                                                                                                      • API String ID: 819619735-1164314080
                                                                                                                                      • Opcode ID: 79820468cfff0dba8edc7c0b872433e356a88339a4cb019e3bd0fde65858cf27
                                                                                                                                      • Instruction ID: 2c2cea822ea6e7e94191dd371a6840e82f6dc6f60749014a18f0a45ac2bef9a0
                                                                                                                                      • Opcode Fuzzy Hash: 79820468cfff0dba8edc7c0b872433e356a88339a4cb019e3bd0fde65858cf27
                                                                                                                                      • Instruction Fuzzy Hash: 36D179B0D002888FDB25CFA8C9887EEBBB1FF45314F148299D459BB382D7746A84CB51
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00865940 Relevance: 12.1, APIs: 8, Instructions: 92networkCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 15359 865940-865972 WSAStartup 15360 865a46-865a4f 15359->15360 15361 865978-8659a2 call 8877d0 * 2 15359->15361 15366 8659a4-8659a8 15361->15366 15367 8659ae-8659f4 getaddrinfo 15361->15367 15366->15360 15366->15367 15368 8659f6-8659fc 15367->15368 15369 865a40 WSACleanup 15367->15369 15370 865a54-865a5e FreeAddrInfoW 15368->15370 15371 8659fe 15368->15371 15369->15360 15370->15369 15372 865a60-865a68 15370->15372 15373 865a04-865a18 socket 15371->15373 15373->15369 15374 865a1a-865a2a connect 15373->15374 15375 865a50 15374->15375 15376 865a2c-865a34 closesocket 15374->15376 15375->15370 15376->15373 15377 865a36-865a3a FreeAddrInfoW 15376->15377 15377->15369
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddrFreeInfo$CleanupStartupclosesocketconnectgetaddrinfosocket
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 448659506-0
                                                                                                                                      • Opcode ID: ecc218569aef62485411e6bdfd1a674ec3a7c8638e6906fc0dd25e060113f481
                                                                                                                                      • Instruction ID: 8747b845a080f87cca7f6104deb04105cf7f66c3000a82ee309e71d7c18afdee
                                                                                                                                      • Opcode Fuzzy Hash: ecc218569aef62485411e6bdfd1a674ec3a7c8638e6906fc0dd25e060113f481
                                                                                                                                      • Instruction Fuzzy Hash: F43190725047109BD7209F75DC84A6ABBE9FB84735F11471DF9A9D22A0E730A844CB92
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00898080 Relevance: 9.2, Strings: 7, Instructions: 484COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 15620 898080-89809e call 899280 15623 8986de-8986e4 15620->15623 15624 8980a4-8980ad 15620->15624 15625 8980af-8980b1 15624->15625 15626 8980b3-8980b9 15624->15626 15627 8980d3-8980d9 15625->15627 15628 8980bb-8980bd 15626->15628 15629 8980bf-8980d0 15626->15629 15630 8980db-8980e1 15627->15630 15631 8980e3-8980ea 15627->15631 15628->15627 15629->15627 15633 8980f2-89810f call 8e7470 15630->15633 15632 8980ec 15631->15632 15631->15633 15632->15633 15636 8986c8 15633->15636 15637 898115-898127 call 7d59a0 15633->15637 15639 8986ca 15636->15639 15643 898129-898130 15637->15643 15644 89816b-898170 15637->15644 15640 8986cf-8986d4 call 8e8490 15639->15640 15650 8986d6-8986db 15640->15650 15648 898149-898159 15643->15648 15649 898132-898144 call 8e7110 15643->15649 15646 89817c-898234 call 8e7c40 15644->15646 15647 898172-898179 15644->15647 15657 898299-898308 call 8986f0 * 4 15646->15657 15658 898236-898244 call 8e4950 15646->15658 15647->15646 15648->15644 15659 89815b-898166 call 8e7110 15648->15659 15649->15639 15650->15623 15669 898249-89824e 15657->15669 15684 89830e 15657->15684 15667 898247 15658->15667 15659->15639 15667->15669 15671 89825a-898262 15669->15671 15672 898250-898257 15669->15672 15673 898268-89826d 15671->15673 15674 89869b-8986a1 15671->15674 15672->15671 15673->15674 15676 898273-898278 15673->15676 15674->15639 15677 8986a3-8986ac 15674->15677 15676->15674 15680 89827e-898298 15676->15680 15677->15640 15681 8986ae-8986b0 15677->15681 15681->15650 15683 8986b2-8986c7 15681->15683 15685 898313-898317 15684->15685 15685->15685 15686 898319-89832f 15685->15686 15687 898331-89833d 15686->15687 15688 898380 15686->15688 15689 89833f-898341 15687->15689 15690 898370-89837e 15687->15690 15691 898382-898395 call 8e3530 15688->15691 15692 898343-898362 15689->15692 15690->15691 15696 89839c 15691->15696 15697 898397-89839a 15691->15697 15692->15692 15694 898364-89836d 15692->15694 15694->15690 15698 89839e-8983e3 call 8986f0 call 898950 15696->15698 15697->15698 15703 898403-898451 call 8b8da0 * 2 15698->15703 15704 8983e5-8983fe call 8e4950 15698->15704 15703->15667 15711 898457-898482 call 8e4950 call 898a90 15703->15711 15704->15667 15716 898488-89848d 15711->15716 15717 898524-898532 15711->15717 15720 898490-898494 15716->15720 15718 898538-89853d 15717->15718 15719 898641-89864b 15717->15719 15723 898540-898547 15718->15723 15721 89864d-898652 15719->15721 15722 89865f-898663 15719->15722 15720->15720 15724 898496-8984a7 15720->15724 15721->15722 15727 898654-898659 15721->15727 15722->15669 15728 898669-89866f 15722->15728 15729 898549-89854b 15723->15729 15730 89854d-89855c 15723->15730 15725 8984a9-8984b0 15724->15725 15726 8984b3-8984cb call 8b8f50 15724->15726 15725->15726 15741 8984e9-8984ee 15726->15741 15742 8984cd-8984e6 call 898a90 15726->15742 15727->15669 15727->15722 15728->15669 15732 898675-89868e call 8e4950 call 898f50 15728->15732 15733 898568-89856e 15729->15733 15730->15733 15744 89855e-898565 15730->15744 15754 898693-898696 15732->15754 15738 898570-898575 15733->15738 15739 898577-89857c 15733->15739 15740 89857f-898581 15738->15740 15739->15740 15745 89858d-898594 15740->15745 15746 898583-89858a 15740->15746 15749 8984f0-898500 call 8e4950 15741->15749 15750 898505-89850f 15741->15750 15742->15741 15744->15733 15751 8985c2-8985c4 15745->15751 15752 898596-8985a7 15745->15752 15746->15745 15749->15750 15757 89851b-89851e 15750->15757 15758 898511-898518 15750->15758 15762 898630-89863b 15751->15762 15763 8985c6-8985cd 15751->15763 15768 8985a9-8985bc call 8e4950 15752->15768 15769 8985bf 15752->15769 15754->15669 15757->15717 15759 898520 15757->15759 15758->15757 15759->15717 15762->15719 15762->15723 15766 8985cf-8985d6 15763->15766 15767 898626 15763->15767 15770 8985d8-8985df 15766->15770 15771 8985e2-898602 15766->15771 15773 89862d 15767->15773 15768->15769 15769->15751 15770->15771 15777 89860a-89861b 15771->15777 15778 898604 15771->15778 15773->15762 15777->15762 15780 89861d-898624 15777->15780 15778->15777 15780->15773
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: BINARY$MATCH$NOCASE$RTRIM$automatic extension loading failed: %s$no such vfs: %s$sqlite_rename_table
                                                                                                                                      • API String ID: 0-1885142750
                                                                                                                                      • Opcode ID: 304537c9501a22eba16cd8ed166a7ca85446bef3919e4d269f4cc6113a4d6248
                                                                                                                                      • Instruction ID: 10f694cf4e92b8314febe5ab66652d2a5e515149700637de2913e49f7482ef3b
                                                                                                                                      • Opcode Fuzzy Hash: 304537c9501a22eba16cd8ed166a7ca85446bef3919e4d269f4cc6113a4d6248
                                                                                                                                      • Instruction Fuzzy Hash: EF022470A00702DFEF31AF69DC45B6B77E4FB52304F184428E84ADB292DBB5A945CB91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00863EB0 Relevance: 4.7, APIs: 3, Instructions: 206encryptionCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00863F07
                                                                                                                                      • LocalFree.KERNEL32(?), ref: 00863F36
                                                                                                                                      • LocalFree.KERNEL32(?), ref: 00864032
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FreeLocal$CryptDataUnprotect
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2835072361-0
                                                                                                                                      • Opcode ID: 9681ec3ce96e70176ba2396b81fd9d23063634c03fb1b236c3256827a370823d
                                                                                                                                      • Instruction ID: 7ee4f444eb93e5f3cfc675e6cd1fe51e33797f22f4744be16af98227ca8e3cc1
                                                                                                                                      • Opcode Fuzzy Hash: 9681ec3ce96e70176ba2396b81fd9d23063634c03fb1b236c3256827a370823d
                                                                                                                                      • Instruction Fuzzy Hash: 8471C371D00248DBDB00DFA8C8457EDFBB4FB55310F14826AE814B3382EB796A45DBA2
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 008DC8D0 Relevance: 3.5, APIs: 2, Instructions: 484COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008DCA85
                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008DCD87
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 885266447-0
                                                                                                                                      • Opcode ID: 44929161152ec61725dc92b102a84d4f0202cc032cab543c685470209cea879a
                                                                                                                                      • Instruction ID: f90ae7db708a12b7b5c8ceeb5421fa10f417285fb87f362a6622f018f35c9507
                                                                                                                                      • Opcode Fuzzy Hash: 44929161152ec61725dc92b102a84d4f0202cc032cab543c685470209cea879a
                                                                                                                                      • Instruction Fuzzy Hash: BE0279B0604617AFDB18CB69C850B6AB7E1FF89324F04866EE849CB750D774ED54CB82
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 007E001D Relevance: .3, Instructions: 318COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 16223c9c5debb5c9f643bad3712e7f574c8e858b66cff5b6a3aebcecfed03433
                                                                                                                                      • Instruction ID: df353e4d0cad640baf1c97c43cb493ff067a77d0f7e7e285f40a44d62a886514
                                                                                                                                      • Opcode Fuzzy Hash: 16223c9c5debb5c9f643bad3712e7f574c8e858b66cff5b6a3aebcecfed03433
                                                                                                                                      • Instruction Fuzzy Hash: 87B1E73490268ECBCB248F6AC9596BEB7B5AF0C300F14461ED592AB651C7BC9DC1CBD1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 007F8BA0 Relevance: .2, Instructions: 221COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 59d73a08bba9fce25658a82d2a3aee41a694939f870c85ac318c75fbcdff2e2f
                                                                                                                                      • Instruction ID: 2f242cc796e194cbad5dcbe48c021c23dfb6147f4ccaa1aa8f6ff842427e4048
                                                                                                                                      • Opcode Fuzzy Hash: 59d73a08bba9fce25658a82d2a3aee41a694939f870c85ac318c75fbcdff2e2f
                                                                                                                                      • Instruction Fuzzy Hash: C98105B0E04289CFDB108F58D8947BEBBB4EF1A300F0401A9DA6497783CB399906D7A1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00803650 Relevance: 102.1, APIs: 3, Strings: 54, Instructions: 2365COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 00884050: GetFileAttributesA.KERNELBASE ref: 008840AC
                                                                                                                                        • Part of subcall function 00884050: GetLastError.KERNEL32 ref: 008840B7
                                                                                                                                        • Part of subcall function 00883FC0: CreateDirectoryA.KERNELBASE(?,00000000), ref: 00884005
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00805AD0
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 00805DF5
                                                                                                                                        • Part of subcall function 00884050: std::_Throw_Cpp_error.LIBCPMT ref: 008840FF
                                                                                                                                        • Part of subcall function 00884050: std::_Throw_Cpp_error.LIBCPMT ref: 00884110
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 00805CE6
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateDirectory$Cpp_errorThrow_std::_$AttributesErrorFileLast
                                                                                                                                      • String ID: v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
                                                                                                                                      • API String ID: 453214671-409038647
                                                                                                                                      • Opcode ID: e02b2c9acb90469d1ba7beb1163bf6020a4f29acd4d52f981ec3d5f6f7837be7
                                                                                                                                      • Instruction ID: e01780c34210289d59835c26c43598c7bbc3f3eea0cd1faeb727f15130ca2031
                                                                                                                                      • Opcode Fuzzy Hash: e02b2c9acb90469d1ba7beb1163bf6020a4f29acd4d52f981ec3d5f6f7837be7
                                                                                                                                      • Instruction Fuzzy Hash: EC53BCB1D15268CFDB65DB24CC98BDDBBB4BB49300F0081EAA449A7292DB742F84CF51
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 007FE090 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 832COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 13166 7fe090-7fe196 call 7ab8e0 call 7b32d0 call 7bab20 CreateDirectoryA 13173 7fe19c-7fe1a0 13166->13173 13174 7fe830-7fe837 13166->13174 13175 7fe1a2-7fe1bd 13173->13175 13176 7fef8e-7ff273 call 7a2df0 13174->13176 13177 7fe83d-7fe8d9 call 7b32d0 call 7bab20 CreateDirectoryA 13174->13177 13179 7fe7f4-7fe81f call 7b63b0 call 87c3e0 13175->13179 13180 7fe1c3-7fe30c call 7b63b0 * 4 call 7b32d0 call 7bab20 call 7bad80 call 7a2df0 call 884050 13175->13180 13194 7fef7f-7fef89 call 7a2df0 13177->13194 13195 7fe8df-7fe8e3 13177->13195 13179->13174 13200 7fe821-7fe828 call 883b20 13179->13200 13237 7fe30e-7fe326 CreateDirectoryA 13180->13237 13238 7fe32c-7fe3ff call 7b32d0 call 7bab20 call 7bad80 call 7b62c0 call 7a2df0 * 2 call 884050 13180->13238 13194->13176 13199 7fe8e5-7fe900 13195->13199 13202 7fe906-7fea4f call 7b63b0 * 4 call 7b32d0 call 7bab20 call 7bad80 call 7a2df0 call 884050 13199->13202 13203 7fef43-7fef6e call 7b63b0 call 8749b0 13199->13203 13208 7fe82d 13200->13208 13255 7fea6f-7feb42 call 7b32d0 call 7bab20 call 7bad80 call 7b62c0 call 7a2df0 * 2 call 884050 13202->13255 13256 7fea51-7fea69 CreateDirectoryA 13202->13256 13203->13194 13220 7fef70-7fef77 call 883b20 13203->13220 13208->13174 13224 7fef7c 13220->13224 13224->13194 13237->13238 13240 7fe7a3-7fe7ef call 7a2df0 * 5 13237->13240 13289 7fe41f-7fe426 13238->13289 13290 7fe401-7fe419 CreateDirectoryA 13238->13290 13240->13175 13315 7feb44-7feb5c CreateDirectoryA 13255->13315 13316 7feb62-7feb69 13255->13316 13256->13255 13259 7feef2-7fef3e call 7a2df0 * 5 13256->13259 13259->13199 13293 7fe52f-7fe533 13289->13293 13294 7fe42c-7fe4ec call 7b32d0 call 7bab20 call 7bad80 call 7a2df0 call 884050 13289->13294 13290->13240 13290->13289 13297 7fe59d-7fe5a1 13293->13297 13298 7fe535-7fe598 call 7b32d0 13293->13298 13348 7fe4ee-7fe50f CreateDirectoryA 13294->13348 13349 7fe511-7fe51b call 7b6290 13294->13349 13304 7fe5a3-7fe5ee call 7b32d0 13297->13304 13305 7fe5f0-7fe64e call 7b32d0 13297->13305 13312 7fe653-7fe741 call 7a2cf0 call 7b32d0 call 7bab20 call 7bae20 call 7b62c0 call 7a2df0 * 3 call 884050 13298->13312 13304->13312 13305->13312 13385 7fe75d-7fe79d call 7b63b0 * 2 call 87d2b0 13312->13385 13386 7fe743-7fe75b CreateDirectoryA 13312->13386 13315->13259 13315->13316 13319 7feb6f-7fec2f call 7b32d0 call 7bab20 call 7bad80 call 7a2df0 call 884050 13316->13319 13320 7fec72-7fec76 13316->13320 13368 7fec54-7fec5e call 7b6290 13319->13368 13369 7fec31-7fec52 CreateDirectoryA 13319->13369 13324 7fec78-7fecdb call 7b32d0 13320->13324 13325 7fece0-7fece4 13320->13325 13341 7fedae-7fee90 call 7a2cf0 call 7b32d0 call 7bab20 call 7bae20 call 7b62c0 call 7a2df0 * 3 call 884050 13324->13341 13332 7fed4b-7feda9 call 7b32d0 13325->13332 13333 7fece6-7fed49 call 7b32d0 13325->13333 13332->13341 13333->13341 13398 7feeac-7feeec call 7b63b0 * 2 call 87d2b0 13341->13398 13399 7fee92-7feeaa CreateDirectoryA 13341->13399 13348->13349 13353 7fe520-7fe52a call 7a2df0 13348->13353 13349->13353 13353->13293 13372 7fec63-7fec6d call 7a2df0 13368->13372 13369->13368 13369->13372 13372->13320 13385->13240 13402 7fe79f 13385->13402 13386->13240 13386->13385 13398->13259 13408 7feeee 13398->13408 13399->13259 13399->13398 13402->13240 13408->13259
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 007AB8E0: CreateDirectoryA.KERNELBASE(?,00000000), ref: 007ABA08
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 007FE192
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000,?,-0000004C), ref: 007FE322
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,?,-0000004C), ref: 007FE415
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 007FE50B
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 007FE757
                                                                                                                                      • CreateDirectoryA.KERNELBASE(?,00000000), ref: 007FE8D5
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000,?,-0000004C), ref: 007FEA65
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,?,-0000004C), ref: 007FEB58
                                                                                                                                        • Part of subcall function 00884050: GetFileAttributesA.KERNELBASE ref: 008840AC
                                                                                                                                        • Part of subcall function 00884050: GetLastError.KERNEL32 ref: 008840B7
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000), ref: 007FEC4E
                                                                                                                                      • CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,-0000004C), ref: 007FEEA6
                                                                                                                                        • Part of subcall function 008749B0: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,008F80C7,000000FF), ref: 00874A1C
                                                                                                                                        • Part of subcall function 008749B0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00874A43
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateDirectory$FolderPath$AttributesErrorFileLast
                                                                                                                                      • String ID: 4<Ea$4<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
                                                                                                                                      • API String ID: 3066340180-3580313535
                                                                                                                                      • Opcode ID: c277fe3d948310359fd7689e97b1e1dc0a8733d7323c8d254fdfc65842f9d2d2
                                                                                                                                      • Instruction ID: b943c0713c1b2fbcf2badf6730a4c000aa1a1dfb03df24a6cf60761c4b0dee95
                                                                                                                                      • Opcode Fuzzy Hash: c277fe3d948310359fd7689e97b1e1dc0a8733d7323c8d254fdfc65842f9d2d2
                                                                                                                                      • Instruction Fuzzy Hash: 029221B1D002ACDBDB25DB68CC99BDDBBB4AB15300F0041E9E449A7292EB741F89DF51
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00864EB0 Relevance: 18.3, APIs: 12, Instructions: 279networksleepCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 14797 864eb0-864ee8 14798 864eee 14797->14798 14799 86527c-865290 14797->14799 14800 864ef4-864efc 14798->14800 14801 864f37-864f80 setsockopt recv WSAGetLastError 14800->14801 14802 864efe-864f24 call 865940 14800->14802 14801->14799 14803 864f86-864f89 14801->14803 14807 864f29-864f31 14802->14807 14805 864f8f-864f96 14803->14805 14806 8651da-865203 call 7d3059 call 7f8650 14803->14806 14808 8651c5-8651d5 recv 14805->14808 14809 864f9c-864ff8 call 7b8dc0 recv 14805->14809 14812 86525f-865261 Sleep 14806->14812 14821 865205 14806->14821 14807->14801 14811 865267-865276 Sleep 14807->14811 14808->14812 14817 865173-865180 14809->14817 14818 864ffe-865019 recv 14809->14818 14811->14799 14811->14800 14812->14811 14822 865182-86518e 14817->14822 14823 8651ae-8651c0 14817->14823 14818->14817 14820 86501f-86505a 14818->14820 14824 86505c-865061 14820->14824 14825 8650cd-86511b call 7b63b0 call 7a8d50 call 8652a0 14820->14825 14826 865207-86520d 14821->14826 14827 86520f-865247 call 7a9280 14821->14827 14828 8651a4-8651ab call 7d38e3 14822->14828 14829 865190-86519e 14822->14829 14823->14812 14830 865077-865081 call 7b8dc0 14824->14830 14831 865063-865075 14824->14831 14846 865120-86512d 14825->14846 14826->14812 14826->14827 14838 86524c-86525a 14827->14838 14828->14823 14829->14828 14833 865291-865296 call 7d8c60 14829->14833 14836 865086-8650cb setsockopt recv 14830->14836 14831->14836 14836->14825 14838->14812 14847 86512f-86513b 14846->14847 14848 86515b-86516f 14846->14848 14849 865151-865158 call 7d38e3 14847->14849 14850 86513d-86514b 14847->14850 14848->14817 14849->14848 14850->14833 14850->14849
                                                                                                                                      APIs
                                                                                                                                      • setsockopt.WS2_32(00000370,0000FFFF,00001006,?,00000008), ref: 00864F56
                                                                                                                                      • recv.WS2_32(?,00000004,00000002), ref: 00864F71
                                                                                                                                      • WSAGetLastError.WS2_32 ref: 00864F75
                                                                                                                                      • recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00864FF3
                                                                                                                                      • recv.WS2_32(00000000,0000000C,00000008), ref: 00865014
                                                                                                                                      • setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 008650B0
                                                                                                                                      • recv.WS2_32(00000000,?,00000008), ref: 008650CB
                                                                                                                                        • Part of subcall function 00865940: WSAStartup.WS2_32 ref: 0086596A
                                                                                                                                        • Part of subcall function 00865940: getaddrinfo.WS2_32(?,?,?,00926328), ref: 008659EC
                                                                                                                                        • Part of subcall function 00865940: socket.WS2_32(?,?,?), ref: 00865A0D
                                                                                                                                        • Part of subcall function 00865940: connect.WS2_32(00000000,008F6B31,?), ref: 00865A21
                                                                                                                                        • Part of subcall function 00865940: closesocket.WS2_32(00000000), ref: 00865A2D
                                                                                                                                        • Part of subcall function 00865940: FreeAddrInfoW.WS2_32(?), ref: 00865A3A
                                                                                                                                        • Part of subcall function 00865940: WSACleanup.WS2_32 ref: 00865A40
                                                                                                                                      • recv.WS2_32(?,00000004,00000008), ref: 008651D3
                                                                                                                                      • __Xtime_get_ticks.LIBCPMT ref: 008651DA
                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008651E8
                                                                                                                                      • Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00865261
                                                                                                                                      • Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00865269
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: recv$Sleepsetsockopt$AddrCleanupErrorFreeInfoLastStartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectgetaddrinfosocket
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3089209366-0
                                                                                                                                      • Opcode ID: d18f363556602ccb562feb157e56f3ff22b8b3f480a9cf6a69c58ba9b4e76125
                                                                                                                                      • Instruction ID: 17e48625901af253e4738a2fa9c15f884dc1222d9a80350eca6fe19a53fd2ecc
                                                                                                                                      • Opcode Fuzzy Hash: d18f363556602ccb562feb157e56f3ff22b8b3f480a9cf6a69c58ba9b4e76125
                                                                                                                                      • Instruction Fuzzy Hash: 2AB1CBB0D04308DFEB25DFA8DC89BADBBB1FB45310F200219E454AB2E2D7745984DB82
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00881AD0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 291registryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 14853 881ad0-881e28 call 7d59a0 RegGetValueA 14856 881e58-881e5c 14853->14856 14857 881e2a-881e39 14853->14857 14858 881f5d-881f70 14856->14858 14859 881e62-881e94 call 7d59a0 GetComputerNameExA 14856->14859 14860 881e40-881e45 14857->14860 14865 881eb8-881ebc 14859->14865 14866 881e96-881e9f 14859->14866 14860->14860 14862 881e47-881e53 call 7b6130 14860->14862 14862->14856 14865->14858 14868 881ec2-881eed call 7d59a0 LsaOpenPolicy 14865->14868 14867 881ea0-881ea5 14866->14867 14867->14867 14869 881ea7-881eb3 call 7b6130 14867->14869 14873 881eef-881f00 LsaQueryInformationPolicy 14868->14873 14874 881f35-881f42 14868->14874 14869->14865 14876 881f2c-881f2f LsaClose 14873->14876 14877 881f02-881f09 14873->14877 14875 881f45-881f4a 14874->14875 14875->14875 14878 881f4c-881f58 call 7b6130 14875->14878 14876->14874 14879 881f0b 14877->14879 14880 881f0e-881f26 call 7a3440 LsaFreeMemory 14877->14880 14878->14858 14879->14880 14880->14876
                                                                                                                                      APIs
                                                                                                                                      • RegGetValueA.KERNELBASE(80000002,?,?,0001FFFF,?,?,00000104), ref: 00881E20
                                                                                                                                      • GetComputerNameExA.KERNELBASE(00000002,?,00000104), ref: 00881E8C
                                                                                                                                      • LsaOpenPolicy.ADVAPI32(00000000,00924684,00000001,?), ref: 00881EE5
                                                                                                                                      • LsaQueryInformationPolicy.ADVAPI32(?,0000000C,?), ref: 00881EF8
                                                                                                                                      • LsaFreeMemory.ADVAPI32(?), ref: 00881F26
                                                                                                                                      • LsaClose.ADVAPI32(?), ref: 00881F2F
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Policy$CloseComputerFreeInformationMemoryNameOpenQueryValue
                                                                                                                                      • String ID: %wZ$v<Ea
                                                                                                                                      • API String ID: 762890658-2964453009
                                                                                                                                      • Opcode ID: cfb181350c6d559db5897f8be3ac1439abc2d91aa2d4be65fe7b179cad12c191
                                                                                                                                      • Instruction ID: f9a504a080530569e4f22d12a0eb4882e844394a3d414a04ae3df4b247cac9b0
                                                                                                                                      • Opcode Fuzzy Hash: cfb181350c6d559db5897f8be3ac1439abc2d91aa2d4be65fe7b179cad12c191
                                                                                                                                      • Instruction Fuzzy Hash: AFE1E1B4D0425ACBDB14CF98D985BEEBBB4BF08310F204199EA49B7351DB705A85CFA1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 007A9280 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 382libraryloadernetworkCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 15378 7a9280-7a92dd call 7b63b0 15381 7a9413-7a9521 call 7a2df0 call 8877d0 15378->15381 15382 7a92e3-7a92e9 15378->15382 15396 7a9523-7a9535 15381->15396 15397 7a9537-7a953f call 7b8dc0 15381->15397 15383 7a92f0-7a9313 15382->15383 15385 7a9324-7a9331 15383->15385 15386 7a9315-7a931f 15383->15386 15389 7a9342-7a934f 15385->15389 15390 7a9333-7a933d 15385->15390 15388 7a9403-7a9406 15386->15388 15393 7a9409-7a940d 15388->15393 15394 7a9360-7a936d 15389->15394 15395 7a9351-7a935b 15389->15395 15390->15388 15393->15381 15393->15383 15398 7a937e-7a938b 15394->15398 15399 7a936f-7a9379 15394->15399 15395->15388 15402 7a9544-7a9597 call 8877d0 * 2 15396->15402 15397->15402 15400 7a9399-7a93a6 15398->15400 15401 7a938d-7a9397 15398->15401 15399->15388 15404 7a93a8-7a93b2 15400->15404 15405 7a93b4-7a93c1 15400->15405 15401->15388 15415 7a95cb-7a95e1 call 8877d0 15402->15415 15416 7a9599-7a95c8 call 8877d0 call 7d5260 15402->15416 15404->15388 15407 7a93cf-7a93dc 15405->15407 15408 7a93c3-7a93cd 15405->15408 15410 7a93ea-7a93f4 15407->15410 15411 7a93de-7a93e8 15407->15411 15408->15388 15410->15393 15414 7a93f6-7a93ff 15410->15414 15411->15388 15414->15388 15421 7a96e2 15415->15421 15422 7a95e7-7a95ed 15415->15422 15416->15415 15425 7a96e6-7a96f0 15421->15425 15424 7a95f0-7a96ce GetModuleHandleA GetProcAddress WSASend 15422->15424 15427 7a975f-7a9763 15424->15427 15428 7a96d4-7a96dc 15424->15428 15429 7a971e-7a973d 15425->15429 15430 7a96f2-7a96fe 15425->15430 15427->15425 15428->15421 15428->15424 15433 7a976f-7a9796 15429->15433 15434 7a973f-7a974b 15429->15434 15431 7a9700-7a970e 15430->15431 15432 7a9714-7a971b call 7d38e3 15430->15432 15431->15432 15435 7a9797-7a97fe call 7d8c60 call 7a2df0 * 2 15431->15435 15432->15429 15437 7a974d-7a975b 15434->15437 15438 7a9765-7a976c call 7d38e3 15434->15438 15437->15435 15442 7a975d 15437->15442 15438->15433 15442->15438
                                                                                                                                      APIs
                                                                                                                                      • GetModuleHandleA.KERNEL32(Ws2_32.dll), ref: 007A96A6
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 007A96B4
                                                                                                                                      • WSASend.WS2_32(?,?,00000001,?,00000000,00000000,00000000), ref: 007A96C9
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressHandleModuleProcSend
                                                                                                                                      • String ID: Ws2_32.dll$v<Ea$v<Ea
                                                                                                                                      • API String ID: 2819740048-996692458
                                                                                                                                      • Opcode ID: cee7d1606f87823a61e1291008750d296a143c035910f74caad7068cf7e428cc
                                                                                                                                      • Instruction ID: 56eed64a6ee16060143f03704a615fb2570d82a3abf3b850b20b29d041198e1c
                                                                                                                                      • Opcode Fuzzy Hash: cee7d1606f87823a61e1291008750d296a143c035910f74caad7068cf7e428cc
                                                                                                                                      • Instruction Fuzzy Hash: 0202F270D04298DFDF25CFA8C8907ADBBB0FF96310F244289E4456B686D7781986CF92
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 007E8900 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 15512 7e8900-7e8910 15513 7e892a-7e892c 15512->15513 15514 7e8912-7e8925 call 7e16dc call 7e16ef 15512->15514 15516 7e8c6c-7e8c79 call 7e16dc call 7e16ef 15513->15516 15517 7e8932-7e8938 15513->15517 15528 7e8c84 15514->15528 15534 7e8c7f call 7d8c50 15516->15534 15517->15516 15520 7e893e-7e8967 15517->15520 15520->15516 15523 7e896d-7e8976 15520->15523 15526 7e8978-7e898b call 7e16dc call 7e16ef 15523->15526 15527 7e8990-7e8992 15523->15527 15526->15534 15531 7e8c68-7e8c6a 15527->15531 15532 7e8998-7e899c 15527->15532 15533 7e8c87-7e8c8a 15528->15533 15531->15533 15532->15531 15536 7e89a2-7e89a6 15532->15536 15534->15528 15536->15526 15537 7e89a8-7e89bf 15536->15537 15540 7e89f4-7e89fa 15537->15540 15541 7e89c1-7e89c4 15537->15541 15545 7e89ce-7e89e5 call 7e16dc call 7e16ef call 7d8c50 15540->15545 15546 7e89fc-7e8a03 15540->15546 15543 7e89ea-7e89f2 15541->15543 15544 7e89c6-7e89cc 15541->15544 15548 7e8a67-7e8a86 15543->15548 15544->15543 15544->15545 15577 7e8b9f 15545->15577 15549 7e8a07-7e8a25 call 7eb086 call 7eb00c * 2 15546->15549 15550 7e8a05 15546->15550 15552 7e8a8c-7e8a98 15548->15552 15553 7e8b42-7e8b4b call 7f3bd1 15548->15553 15581 7e8a27-7e8a3d call 7e16ef call 7e16dc 15549->15581 15582 7e8a42-7e8a65 call 7e25ed 15549->15582 15550->15549 15552->15553 15558 7e8a9e-7e8aa0 15552->15558 15566 7e8bbc 15553->15566 15567 7e8b4d-7e8b5f 15553->15567 15558->15553 15559 7e8aa6-7e8ac7 15558->15559 15559->15553 15563 7e8ac9-7e8adf 15559->15563 15563->15553 15568 7e8ae1-7e8ae3 15563->15568 15570 7e8bc0-7e8bd6 ReadFile 15566->15570 15567->15566 15572 7e8b61-7e8b70 GetConsoleMode 15567->15572 15568->15553 15573 7e8ae5-7e8b08 15568->15573 15575 7e8bd8-7e8bde 15570->15575 15576 7e8c34-7e8c3f GetLastError 15570->15576 15572->15566 15578 7e8b72-7e8b76 15572->15578 15573->15553 15580 7e8b0a-7e8b20 15573->15580 15575->15576 15585 7e8be0 15575->15585 15583 7e8c58-7e8c5b 15576->15583 15584 7e8c41-7e8c53 call 7e16ef call 7e16dc 15576->15584 15579 7e8ba2-7e8bac call 7eb00c 15577->15579 15578->15570 15586 7e8b78-7e8b90 ReadConsoleW 15578->15586 15579->15533 15580->15553 15588 7e8b22-7e8b24 15580->15588 15581->15577 15582->15548 15595 7e8b98-7e8b9e call 7e1695 15583->15595 15596 7e8c61-7e8c63 15583->15596 15584->15577 15592 7e8be3-7e8bf5 15585->15592 15593 7e8b92 GetLastError 15586->15593 15594 7e8bb1-7e8bba 15586->15594 15588->15553 15599 7e8b26-7e8b3d 15588->15599 15592->15579 15603 7e8bf7-7e8bfb 15592->15603 15593->15595 15594->15592 15595->15577 15596->15579 15599->15553 15607 7e8bfd-7e8c0d call 7e8612 15603->15607 15608 7e8c14-7e8c21 15603->15608 15617 7e8c10-7e8c12 15607->15617 15609 7e8c2d-7e8c32 call 7e8458 15608->15609 15610 7e8c23 call 7e8769 15608->15610 15618 7e8c28-7e8c2b 15609->15618 15610->15618 15617->15579 15618->15617
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 02d69dc29ea415757c353415412fcd8e93fa814cc4867dc48cef0fa43eff3887
                                                                                                                                      • Instruction ID: 047e3fe10cbf1b5c506fde48b8fb0e5b2ca9fa4070435ddd8433ee56962ae342
                                                                                                                                      • Opcode Fuzzy Hash: 02d69dc29ea415757c353415412fcd8e93fa814cc4867dc48cef0fa43eff3887
                                                                                                                                      • Instruction Fuzzy Hash: 76B11BB0A06284EFDB51DF9AC845BBD7BB1BF4D310F144198E408AB392DB789D41CB62
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 008652A0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 399COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: v<Ea$v<Ea$v<Ea
                                                                                                                                      • API String ID: 0-1164314080
                                                                                                                                      • Opcode ID: a61a5725223217842ac1283665a30a2da6e7d891d0891103bcb6524dd2bbf577
                                                                                                                                      • Instruction ID: 9544d6e72d3e475b763aaaaeeeb0c2d73594488c38ea8400e1eeaadb7b882f9c
                                                                                                                                      • Opcode Fuzzy Hash: a61a5725223217842ac1283665a30a2da6e7d891d0891103bcb6524dd2bbf577
                                                                                                                                      • Instruction Fuzzy Hash: 07020F70D04288DFDB14DFA8C9497DDBBB0EB54304F1481A9D805AB386D7B95E88DBA2
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00873B40 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 278fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CopyFileA.KERNEL32(?,?,00000000), ref: 00873DD0
                                                                                                                                        • Part of subcall function 00873F50: GetLastError.KERNEL32(?,00000000), ref: 00873F83
                                                                                                                                        • Part of subcall function 00873F50: 6E387CF0.RSTRTMGR(?,00000000,?), ref: 00874000
                                                                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 00873F34
                                                                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 00873F45
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Cpp_errorThrow_std::_$CopyE387ErrorFileLast
                                                                                                                                      • String ID: v<Ea
                                                                                                                                      • API String ID: 3434067823-4124759590
                                                                                                                                      • Opcode ID: 762700ec1ee001ac31815dad15024421eba9f86cd99feb2ee1445267072ced4b
                                                                                                                                      • Instruction ID: ea06a15dacfe13b7808e99cd5b4d56789bba77f53c535582acf09947393c79e0
                                                                                                                                      • Opcode Fuzzy Hash: 762700ec1ee001ac31815dad15024421eba9f86cd99feb2ee1445267072ced4b
                                                                                                                                      • Instruction Fuzzy Hash: 37D15AB1D00249DBDB14DFA8C9457EEBBB0FF55304F148259D818B7382EB745A89CB92
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00831680 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 264registryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00000001,?,?,?,?,?,?,?,?,00000000), ref: 008318A9
                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,006D869C,?,?,?,?,?,?,?,00000000), ref: 008318CC
                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000000), ref: 008318D7
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CloseOpenQueryValue
                                                                                                                                      • String ID: v<Ea
                                                                                                                                      • API String ID: 3677997916-4124759590
                                                                                                                                      • Opcode ID: 48bd9aa6017fb052fe63f92833623139f4114397db0521ebd13e3e8584b4d40a
                                                                                                                                      • Instruction ID: 958db49eb0fdcc3ebd58dc6863d7d38a92f37905c7e59b6e873a02bca9957850
                                                                                                                                      • Opcode Fuzzy Hash: 48bd9aa6017fb052fe63f92833623139f4114397db0521ebd13e3e8584b4d40a
                                                                                                                                      • Instruction Fuzzy Hash: 9EC125B0D05219DBDB14DFA8C986BAEBBB0FF48710F204259E915B7381D7745A84CFA1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00884050 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetFileAttributesA.KERNELBASE ref: 008840AC
                                                                                                                                      • GetLastError.KERNEL32 ref: 008840B7
                                                                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 008840FF
                                                                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 00884110
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Cpp_errorThrow_std::_$AttributesErrorFileLast
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 995686243-0
                                                                                                                                      • Opcode ID: 7c5313bed43d82956b9f8ce524b5e3b93bedc1e528144fe2b350fc6635bfa1ca
                                                                                                                                      • Instruction ID: ba9e06b1d9672aae4bb7b6d59320cdbc1f0a7def814b95c8ff7032d38c081f61
                                                                                                                                      • Opcode Fuzzy Hash: 7c5313bed43d82956b9f8ce524b5e3b93bedc1e528144fe2b350fc6635bfa1ca
                                                                                                                                      • Instruction Fuzzy Hash: E01197B2400A02DACB347F38AC08B6A7764FB02734F240325E535DBBD2EB23485AC752
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00882BA0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 350COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00882C3F
                                                                                                                                      • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00882F4B
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DirectoryInformationVolumeWindows
                                                                                                                                      • String ID: v<Ea
                                                                                                                                      • API String ID: 3487004747-4124759590
                                                                                                                                      • Opcode ID: 1599c75c7e2488a422b92176c4b27aea51738318ad4de3fe306d02ec7f2f8879
                                                                                                                                      • Instruction ID: 9b849581b104951fd667d7fb6b0150c7454749678b9810818b70fa2e50cd9d4e
                                                                                                                                      • Opcode Fuzzy Hash: 1599c75c7e2488a422b92176c4b27aea51738318ad4de3fe306d02ec7f2f8879
                                                                                                                                      • Instruction Fuzzy Hash: 64F136B0D10249DBDB15CFA8C985BEEFBB1BF09304F244259E544BB341E7756A84CBA1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 007EB9C2 Relevance: 4.5, APIs: 3, Instructions: 17fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • DeleteFileW.KERNELBASE(?,?,007DD2A1,?), ref: 007EB9CA
                                                                                                                                      • GetLastError.KERNEL32(?,007DD2A1,?), ref: 007EB9D4
                                                                                                                                      • __dosmaperr.LIBCMT ref: 007EB9DB
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DeleteErrorFileLast__dosmaperr
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1545401867-0
                                                                                                                                      • Opcode ID: 78060b80a62ac5fcbad1f2b28a2bd1d8f959c21b11eceda9286d54d2ea50a2b1
                                                                                                                                      • Instruction ID: 84ac26553a55dc42dad6d31a389002a139c07c619a8730b106bf621b0ca1ab2a
                                                                                                                                      • Opcode Fuzzy Hash: 78060b80a62ac5fcbad1f2b28a2bd1d8f959c21b11eceda9286d54d2ea50a2b1
                                                                                                                                      • Instruction Fuzzy Hash: A7D01272119648B78B042BF7BC0DD273F5DABC43787280651F52DC51A1DF36E891D551
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 008849F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 125COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __fread_nolock
                                                                                                                                      • String ID: v<Ea
                                                                                                                                      • API String ID: 2638373210-4124759590
                                                                                                                                      • Opcode ID: b216fce3b90687de98fabf1d0a4e59a898d25801ae63d56324934daca1151023
                                                                                                                                      • Instruction ID: 5dfad0d4ca7d30c7e3de1ba1e61c85dc686dc2e3b038e101cc502a71a3e9175f
                                                                                                                                      • Opcode Fuzzy Hash: b216fce3b90687de98fabf1d0a4e59a898d25801ae63d56324934daca1151023
                                                                                                                                      • Instruction Fuzzy Hash: 345159B1D00249DBDB20DF98C946BAEBBB4EF44714F10421DE851AB381D7B56A44CBA2
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 00884870 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 119COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __fread_nolock
                                                                                                                                      • String ID: v<Ea
                                                                                                                                      • API String ID: 2638373210-4124759590
                                                                                                                                      • Opcode ID: 38a7b4343b5cc495c2f319f13505a3d3c78f9cd72cac239a4555ede236685bf8
                                                                                                                                      • Instruction ID: 8af0d15c6bd5020f4485d8d5750ebd4fb542066491eebaa095e55a812c3a4331
                                                                                                                                      • Opcode Fuzzy Hash: 38a7b4343b5cc495c2f319f13505a3d3c78f9cd72cac239a4555ede236685bf8
                                                                                                                                      • Instruction Fuzzy Hash: 5A414AB1D00249DBDB10DF98D886BAEBBB4FF49704F104159E810BB382E779A901CBA1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 008739A0 Relevance: 3.1, APIs: 2, Instructions: 131COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 00873B1A
                                                                                                                                      • std::_Throw_Cpp_error.LIBCPMT ref: 00873B2B
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Cpp_errorThrow_std::_
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2134207285-0
                                                                                                                                      • Opcode ID: 437624800fedf4e135004a7fa095360d9b0fc106ea02030a496cd95a50a98811
                                                                                                                                      • Instruction ID: a2916b071a6ae673ad3870a0dfc90a0031b664c2c999959a25d1dec6ece2278f
                                                                                                                                      • Opcode Fuzzy Hash: 437624800fedf4e135004a7fa095360d9b0fc106ea02030a496cd95a50a98811
                                                                                                                                      • Instruction Fuzzy Hash: 58412571E04641CBC720DF2CD84272EB7B0FB80314F184329E855A7786E775EA06D792
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 007E8DEF Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,007E8CD6,00000000,CF830579,00917178,0000000C,007E8D92,007DD06D,?), ref: 007E8E45
                                                                                                                                      • GetLastError.KERNEL32(?,007E8CD6,00000000,CF830579,00917178,0000000C,007E8D92,007DD06D,?), ref: 007E8E4F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ChangeCloseErrorFindLastNotification
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1687624791-0
                                                                                                                                      • Opcode ID: ba9394ba22be3e53b91392237a0dcf7ef746737f538ee74c43f0fafeb0ef2f08
                                                                                                                                      • Instruction ID: eff5c641a8fa0d95b459240e7ce49dda7dec80ca53fa5f71e0e417c8afda6181
                                                                                                                                      • Opcode Fuzzy Hash: ba9394ba22be3e53b91392237a0dcf7ef746737f538ee74c43f0fafeb0ef2f08
                                                                                                                                      • Instruction Fuzzy Hash: C7114C326071D096C6A66276AC49B7D27898B8D734F2A0A49F81CDB1C2DF39AC818193
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 007E250C Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SetFilePointerEx.KERNELBASE(00000000,00000000,00916E30,007D2B4E,00000002,007D2B4E,00000000,?,?,?,007E2616,00000000,?,007D2B4E,00000002,00916E30), ref: 007E2548
                                                                                                                                      • GetLastError.KERNEL32(007D2B4E,?,?,?,007E2616,00000000,?,007D2B4E,00000002,00916E30,00000000,007D2B4E,00000000,00916E30,0000000C,007DD60E), ref: 007E2555
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ErrorFileLastPointer
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2976181284-0
                                                                                                                                      • Opcode ID: bf9117061f70f60fbec3f8f723406ba0135644ba9978a1fc33ab11dfc02091e5
                                                                                                                                      • Instruction ID: d406ef09e63db1e653773576ad1ecd9ea437f856546591c7b360120d4fa461a9
                                                                                                                                      • Opcode Fuzzy Hash: bf9117061f70f60fbec3f8f723406ba0135644ba9978a1fc33ab11dfc02091e5
                                                                                                                                      • Instruction Fuzzy Hash: 47012633615185AFCF09CF6ADC15CAE3B2DEB88330B240248F8019B291EA75ED52CB90
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 007EB00C Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RtlFreeHeap.NTDLL(00000000,00000000,?,007E1C9E,00000001,?,?,007D4B55,00000000,?,0080A937,18EC83FF,?,007A3522,?,?), ref: 007EB022
                                                                                                                                      • GetLastError.KERNEL32(00000000,?,007E1C9E,00000001,?,?,007D4B55,00000000,?,0080A937,18EC83FF,?,007A3522,?,?), ref: 007EB02D
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ErrorFreeHeapLast
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 485612231-0
                                                                                                                                      • Opcode ID: a7bf66127036e026ee712708d52b5e027df76fbb384035e385bdb43855718525
                                                                                                                                      • Instruction ID: 63d104d6483dc90eba78517b42931e646b65e28a8d45ace9b7c556b2d4484d74
                                                                                                                                      • Opcode Fuzzy Hash: a7bf66127036e026ee712708d52b5e027df76fbb384035e385bdb43855718525
                                                                                                                                      • Instruction Fuzzy Hash: 15E08C32101244EBCB212BB6EC0DFAA3A5ABB48365F044020F60C96170DF3D9850C784
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 007B5350 Relevance: 1.7, APIs: 1, Instructions: 184COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 007B546E
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Concurrency::cancel_current_task
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 118556049-0
                                                                                                                                      • Opcode ID: 247470c331a614f0c4de326aabf7c461ba678b6a7defb3a7108c8406dc44adfe
                                                                                                                                      • Instruction ID: 14853a35498c0704c901a69da8cc81d7ce203eaf1ab53a987587d9d3699c1215
                                                                                                                                      • Opcode Fuzzy Hash: 247470c331a614f0c4de326aabf7c461ba678b6a7defb3a7108c8406dc44adfe
                                                                                                                                      • Instruction Fuzzy Hash: 21617AB1A01615DFCB10CF59C984B9ABBF5FF48710F24816EE4199B391C779EA01CB91
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 007D8DF2 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ca036a2261ff6000a1aed8eb9ac9c6932f0186910c3de27deff8ec8666f63131
                                                                                                                                      • Instruction ID: a9a0c669541eb09d2887fa8b4322f5ca383280e95396be8b6b2c1dddb3a316c9
                                                                                                                                      • Opcode Fuzzy Hash: ca036a2261ff6000a1aed8eb9ac9c6932f0186910c3de27deff8ec8666f63131
                                                                                                                                      • Instruction Fuzzy Hash: FA51C670A00204EFDF54DF58C885AAD7BB2EF49324F29815AF849AB352D735DD41CB92
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 007A3130 Relevance: 1.7, APIs: 1, Instructions: 152COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 007A32B8
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Concurrency::cancel_current_task
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 118556049-0
                                                                                                                                      • Opcode ID: 42849b72ea8d03fc776094d2ae746cd05c8102cdbbaf42b32d92640830797b38
                                                                                                                                      • Instruction ID: e7f109a0a522ae75a4c4969a731eed67f50426827eb89ee6b2a57bbf1aaea0f9
                                                                                                                                      • Opcode Fuzzy Hash: 42849b72ea8d03fc776094d2ae746cd05c8102cdbbaf42b32d92640830797b38
                                                                                                                                      • Instruction Fuzzy Hash: AA41C4B1A00514DFCB04DF6CC985A6EBBB5EB89350F14436AF815DB385D738DE018BA1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 007C9E20 Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 007C9F7B
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Concurrency::cancel_current_task
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 118556049-0
                                                                                                                                      • Opcode ID: 5227e5300e16c0fd4b7b03a98ceaf71633bb9958b9dc448d81191bd8685b0dd2
                                                                                                                                      • Instruction ID: 699d87cb47f5b9762da7adb65511283591145aeb3c7f49d50daaf1d91284a20b
                                                                                                                                      • Opcode Fuzzy Hash: 5227e5300e16c0fd4b7b03a98ceaf71633bb9958b9dc448d81191bd8685b0dd2
                                                                                                                                      • Instruction Fuzzy Hash: 3341B272A00115DFCB04DF68C849AAEBBB9EB99350F14426EE915E7385D738DE018BE1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 007A6870 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ___std_fs_directory_iterator_open@12.LIBCPMT ref: 007A6908
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ___std_fs_directory_iterator_open@12
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 29801545-0
                                                                                                                                      • Opcode ID: 891e69dd3eff687b8964aa0fa00620d2fc0cc89e1415068b77e8d59ef2433ba3
                                                                                                                                      • Instruction ID: a2cadb672f99ac764f297e85e7b43f0dfa4408a08d7a34b29ae0bbb520d00868
                                                                                                                                      • Opcode Fuzzy Hash: 891e69dd3eff687b8964aa0fa00620d2fc0cc89e1415068b77e8d59ef2433ba3
                                                                                                                                      • Instruction Fuzzy Hash: 71216F76E00619EBCB14DF48D855BAEB7B8FB85720F04066AE92963780DB396D05C790
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 008830B0 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SetupDiGetClassDevsA.SETUPAPI(008FA560,00000000,00000000), ref: 008830F7
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ClassDevsSetup
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2330331845-0
                                                                                                                                      • Opcode ID: 947cff12d33b7858f6893a413022120a602fc5f2de22cfba05145ec03f557ac3
                                                                                                                                      • Instruction ID: 78e9bdb647dd6b3dda3ce214cc8f36bfd5f8602bc0c6a2d9a6f21068abf82aba
                                                                                                                                      • Opcode Fuzzy Hash: 947cff12d33b7858f6893a413022120a602fc5f2de22cfba05145ec03f557ac3
                                                                                                                                      • Instruction Fuzzy Hash: FD11ACB0D047489BD7209F28D90A717BBA4FB04B24F10471DE865973C1E7B96A5887D2
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 007A32D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Concurrency::cancel_current_task.LIBCPMT ref: 007A331F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Concurrency::cancel_current_task
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 118556049-0
                                                                                                                                      • Opcode ID: 6ec4655adc9d8c581670169791bfeb4c3c4bb59604ad5d7a34e59d92e7cd2194
                                                                                                                                      • Instruction ID: 8e347fc77963783eab831398f7b4561f7e0a3441648a8b9333c489ab43d5df45
                                                                                                                                      • Opcode Fuzzy Hash: 6ec4655adc9d8c581670169791bfeb4c3c4bb59604ad5d7a34e59d92e7cd2194
                                                                                                                                      • Instruction Fuzzy Hash: A3F0B472100104DBCF146F64D41A8E9B3F8EF653A17100A7BF88DC7612EB2EDA418791
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 007EB086 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 007EB0B8
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1279760036-0
                                                                                                                                      • Opcode ID: 8ff3445ee8e629794c9330360283e5f8b0218daac3a85bb2da0d5f65dfdccf0f
                                                                                                                                      • Instruction ID: ae5601da76b995fe11568ff602b32e0468845a7b654ac64d7553ecd3aeb7c435
                                                                                                                                      • Opcode Fuzzy Hash: 8ff3445ee8e629794c9330360283e5f8b0218daac3a85bb2da0d5f65dfdccf0f
                                                                                                                                      • Instruction Fuzzy Hash: C8E030311135D0ABE63127779C05B6B2E49AF493B0B150221ED65970E1DF2DEC0095E1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 007A6840 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 007A6853
                                                                                                                                        • Part of subcall function 007D1F6B: FindNextFileW.KERNELBASE(?,?,?,007A6858,?,?,?,?,007A691A,?,?,?,00000000,?,?), ref: 007D1F74
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileFindNext___std_fs_directory_iterator_advance@8
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3878998205-0
                                                                                                                                      • Opcode ID: fff74abef5ad4ab776fc00913f1374bcbb9169b1c9b3633ac3d7d852fcb85055
                                                                                                                                      • Instruction ID: 340b454187d14ab2f51b12bc5edc22f143964d07715eaae63883424afb606d75
                                                                                                                                      • Opcode Fuzzy Hash: fff74abef5ad4ab776fc00913f1374bcbb9169b1c9b3633ac3d7d852fcb85055
                                                                                                                                      • Instruction Fuzzy Hash: 11D0C926705920611E25662B39099BF469E4ED7BB4B89026AF94AD3242EE0C8C0B40A6
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%

                                                                                                                                      Function 007E66C5 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.2323661294.00000000007A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007A0000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.2323643354.00000000007A0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323758499.00000000008FA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323799821.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323817101.0000000000922000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.000000000092D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323834373.0000000000930000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323961256.000000000093C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2323983621.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000942000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.0000000000947000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324010034.000000000094A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AF9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000AFF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B03000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B05000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B07000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B09000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B0F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B34000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324081576.0000000000B41000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.2324869799.0000000000CA0000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_7a0000_file.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: H_prolog3
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 431132790-0
                                                                                                                                      • Opcode ID: a9306003e970101730b418f2c91dc82bd0aea721bb9e8afae98ccf3f0939bc66
                                                                                                                                      • Instruction ID: 8ea152f531c7d5dc4e6e495d4057f8ae535502c61cf3c0b6e464e786636292a0
                                                                                                                                      • Opcode Fuzzy Hash: a9306003e970101730b418f2c91dc82bd0aea721bb9e8afae98ccf3f0939bc66
                                                                                                                                      • Instruction Fuzzy Hash: 92E09AB2D0020EDADF00EFE4D546BEFB7B8AB08310F504067A255E6181EB7897448BA1
                                                                                                                                      Uniqueness

                                                                                                                                      Uniqueness Score: -1.00%