Windows Analysis Report
88Oj06xDol.exe

Overview

General Information

Sample name: 88Oj06xDol.exe
renamed because original name is a hash value
Original sample name: 501172b22cd8ce26e766b8a88a90f12c.exe
Analysis ID: 1417385
MD5: 501172b22cd8ce26e766b8a88a90f12c
SHA1: e73ec22e654bc8269a3fb925160d48b13c840d7d
SHA256: aa7e7a8858f19ab6e33cdaac83983b53c7b1aab28dae5d5892fe3b2c54e89722
Tags: 32exeRiseProStealertrojan
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Country aware sample found (crashes after keyboard check)
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 88Oj06xDol.exe Avira: detected
Antivirus detection for URL or domain
Source: http://193.233.132.167/cost/lenin.exe URL Reputation: Label: malware
Source: http://193.233.132.167/mine/amert.exemj Avira URL Cloud: Label: malware
Source: http://193.233.132.216:57893/hera/amadka.exeom Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/go.exe Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/go.exeUser Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/lenin.exeBuil Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/go.exe8.43 Avira URL Cloud: Label: malware
Source: http://193.233.132.216:57893/hera/amadka.exe Avira URL Cloud: Label: malware
Source: http://193.233.132.167/mine/amert.exeild: Avira URL Cloud: Label: malware
Source: http://193.233.132.167/mine/amert.exedka. Avira URL Cloud: Label: malware
Source: http://193.233.132.167/mine/amert.exebans Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/lenin.exet.liv Avira URL Cloud: Label: malware
Source: http://193.233.132.216:57893/hera/amadka. Avira URL Cloud: Label: malware
Source: http://193.233.132.167/mine/amert.exe Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/go.exe) Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/lenin.exeu Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Avira: detection malicious, Label: HEUR/AGEN.1313019
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Avira: detection malicious, Label: HEUR/AGEN.1313019
Multi AV Scanner detection for domain / URL
Source: http://193.233.132.167/cost/go.exe Virustotal: Detection: 25% Perma Link
Source: http://193.233.132.216:57893/hera/amadka.exeom Virustotal: Detection: 19% Perma Link
Source: http://193.233.132.216:57893/hera/amadka.exe Virustotal: Detection: 21% Perma Link
Source: http://193.233.132.167/cost/lenin.exeBuil Virustotal: Detection: 23% Perma Link
Source: http://193.233.132.167/mine/amert.exedka. Virustotal: Detection: 23% Perma Link
Source: http://193.233.132.167/cost/go.exeUser Virustotal: Detection: 23% Perma Link
Source: http://193.233.132.167/mine/amert.exeild: Virustotal: Detection: 22% Perma Link
Source: http://193.233.132.216:57893/hera/amadka. Virustotal: Detection: 19% Perma Link
Source: http://193.233.132.167/mine/amert.exe Virustotal: Detection: 24% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe ReversingLabs: Detection: 45%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Virustotal: Detection: 59% Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Virustotal: Detection: 59% Perma Link
Multi AV Scanner detection for submitted file
Source: 88Oj06xDol.exe ReversingLabs: Detection: 45%
Source: 88Oj06xDol.exe Virustotal: Detection: 47% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 88Oj06xDol.exe Joe Sandbox ML: detected

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\88Oj06xDol.exe Unpacked PE file: 0.2.88Oj06xDol.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 6.2.MPGPH131.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 7.2.MPGPH131.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 8.2.RageMP131.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 18.2.RageMP131.exe.400000.0.unpack
Uses 32bit PE files
Source: 88Oj06xDol.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\88Oj06xDol.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49729 version: TLS 1.2
Source: Binary string: C:\momivu\letipuwaki82\dopahadiha32\jocul.pdb source: 88Oj06xDol.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr
Source: Binary string: E(C:\momivu\letipuwaki82\dopahadiha32\jocul.pdb source: 88Oj06xDol.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00420060 FindFirstFileA,FindNextFileA,GetLastError,FindClose,SHGetFolderPathA, 0_2_00420060
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0040A160 GetFileAttributesA,GetLastError,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error, 0_2_0040A160
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004DC7AB FindClose,FindFirstFileExW,GetLastError, 0_2_004DC7AB
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0043D4D0 SHGetFolderPathA,GetLastError,GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CopyFileA,GetFileAttributesA,GetLastError,CreateDirectoryA,CopyFileA,CopyFileA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_0043D4D0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0040DC50 CreateDirectoryA,CreateDirectoryA,FindFirstFileA,GetLastError,GetFileAttributesA,GetLastError,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,SHGetFolderPathA,GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,GetLastError,GetLastError,GetLastError,CreateDirectoryA,GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,CreateDirectoryA,GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,CreateDirectoryA,GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_0040DC50
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004FA34D FindFirstFileExW, 0_2_004FA34D
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004DC831 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 0_2_004DC831
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0043D848 FindFirstFileA,FindNextFileA, 0_2_0043D848
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00420060 FindFirstFileA,FindNextFileA,GetLastError,FindClose,SHGetFolderPathA, 6_2_00420060
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0040A160 GetFileAttributesA,GetLastError,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error, 6_2_0040A160
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004DC7AB FindClose,FindFirstFileExW,GetLastError, 6_2_004DC7AB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0043D4D0 SHGetFolderPathA,GetLastError,GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CopyFileA,GetFileAttributesA,GetLastError,CreateDirectoryA,CopyFileA,CopyFileA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 6_2_0043D4D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0040DC50 CreateDirectoryA,CreateDirectoryA,FindFirstFileA,GetLastError,GetFileAttributesA,GetLastError,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,SHGetFolderPathA,GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,GetLastError,GetLastError,GetLastError,CreateDirectoryA,GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,CreateDirectoryA,GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,CreateDirectoryA,GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 6_2_0040DC50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004FA34D FindFirstFileExW, 6_2_004FA34D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004DC831 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 6_2_004DC831
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0043D848 FindFirstFileA,FindNextFileA, 6_2_0043D848
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Windows\SysWOW64\IMM32.DLL Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Windows\SysWOW64\ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Windows\SysWOW64\oleaut32.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Windows\SysWOW64\msimg32.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097\gdiplus.dll Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49705 -> 193.233.132.74:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.74:58709 -> 192.168.2.5:49705
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 193.233.132.74:58709 -> 192.168.2.5:49705
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.74:58709 -> 192.168.2.5:49708
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.74:58709 -> 192.168.2.5:49709
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 193.233.132.74:58709 -> 192.168.2.5:49708
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49705 -> 193.233.132.74:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49708 -> 193.233.132.74:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49709 -> 193.233.132.74:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.74:58709 -> 192.168.2.5:49714
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.74:58709 -> 192.168.2.5:49726
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 193.233.132.74 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49705 -> 193.233.132.74:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 104.26.5.15 104.26.5.15
Source: Joe Sandbox View IP Address: 193.233.132.74 193.233.132.74
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0041E5C0 recv,setsockopt,setsockopt,recv,WSAGetLastError,recv,recv,setsockopt,recv,Sleep,setsockopt,Sleep, 0_2_0041E5C0
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown DNS traffic detected: queries for: ipinfo.io
Source: 88Oj06xDol.exe, 00000000.00000002.2312341141.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2315642178.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2315777571.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2312752937.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2241298350.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exe
Source: MPGPH131.exe, 00000007.00000002.2315777571.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2241298350.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exe)
Source: RageMP131.exe, 00000008.00000002.2312752937.0000000000C48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exe8.43
Source: 88Oj06xDol.exe, 00000000.00000002.2312341141.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exeUser
Source: 88Oj06xDol.exe, 00000000.00000002.2312341141.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2315642178.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2315777571.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2312752937.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2241298350.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exe
Source: MPGPH131.exe, 00000006.00000002.2315642178.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exeBuil
Source: MPGPH131.exe, 00000007.00000002.2315777571.0000000000E28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exet.liv
Source: RageMP131.exe, 00000008.00000002.2312752937.0000000000C48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exeu
Source: RageMP131.exe, 00000012.00000002.2241298350.0000000000E17000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/amert.exe
Source: RageMP131.exe, 00000008.00000002.2312752937.0000000000C48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/amert.exebans
Source: MPGPH131.exe, 00000007.00000002.2315777571.0000000000E28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/amert.exedka.
Source: MPGPH131.exe, 00000006.00000002.2315642178.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/amert.exeild:
Source: MPGPH131.exe, 00000007.00000003.2130340101.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2316164450.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/mine/amert.exemj
Source: RageMP131.exe, 00000012.00000002.2241298350.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.216:57893/hera/amadka.
Source: MPGPH131.exe, 00000007.00000002.2315777571.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2312752937.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2241298350.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.216:57893/hera/amadka.exe
Source: RageMP131.exe, 00000012.00000002.2241298350.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.216:57893/hera/amadka.exeom
Source: RageMP131.exe, 00000008.00000002.2312752937.0000000000C48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://32.167/t.exe
Source: Amcache.hve.11.dr String found in binary or memory: http://upx.sf.net
Source: 88Oj06xDol.exe, 88Oj06xDol.exe, 00000000.00000002.2313076081.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000002.2311841381.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 88Oj06xDol.exe, 00000000.00000003.1961677879.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2316436786.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1993156461.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2314558183.0000000000400000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2314756370.0000000000400000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.1993272283.0000000002A60000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2316554026.0000000002920000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2313787279.0000000002920000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2068558033.0000000002A60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2312310407.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2240865237.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000003.2160884328.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2241729460.0000000002950000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: 88Oj06xDol.exe, 00000000.00000003.2050179158.0000000003B35000.00000004.00000020.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000003.2045387985.00000000039D2000.00000004.00000020.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000003.2044307649.00000000039C2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2076408704.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2067475531.00000000039C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2070914367.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2069385144.00000000039C3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2078801049.0000000003A9B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2071696928.0000000003AA8000.00000004.00000020.00020000.00000000.sdmp, eRGwV_IcS_seWeb Data.0.dr, B_vahqgwyr8GWeb Data.7.dr, shNnyxJJzgS4Web Data.0.dr, RrH4IDSP30NgWeb Data.6.dr, 2kHBDxAhhi3KWeb Data.7.dr, qL6y_Rgj5O8JWeb Data.6.dr, 3qNuz288nQzDWeb Data.0.dr, gugQbi9O3xzDWeb Data.6.dr, iHUkxIgCDKKqWeb Data.7.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 88Oj06xDol.exe, 00000000.00000003.2050179158.0000000003B35000.00000004.00000020.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000003.2045387985.00000000039D2000.00000004.00000020.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000003.2044307649.00000000039C2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2076408704.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2067475531.00000000039C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2070914367.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2069385144.00000000039C3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2078801049.0000000003A9B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2071696928.0000000003AA8000.00000004.00000020.00020000.00000000.sdmp, eRGwV_IcS_seWeb Data.0.dr, B_vahqgwyr8GWeb Data.7.dr, shNnyxJJzgS4Web Data.0.dr, RrH4IDSP30NgWeb Data.6.dr, 2kHBDxAhhi3KWeb Data.7.dr, qL6y_Rgj5O8JWeb Data.6.dr, 3qNuz288nQzDWeb Data.0.dr, gugQbi9O3xzDWeb Data.6.dr, iHUkxIgCDKKqWeb Data.7.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 88Oj06xDol.exe, 00000000.00000003.2050179158.0000000003B35000.00000004.00000020.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000003.2045387985.00000000039D2000.00000004.00000020.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000003.2044307649.00000000039C2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2076408704.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2067475531.00000000039C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2070914367.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2069385144.00000000039C3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2078801049.0000000003A9B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2071696928.0000000003AA8000.00000004.00000020.00020000.00000000.sdmp, eRGwV_IcS_seWeb Data.0.dr, B_vahqgwyr8GWeb Data.7.dr, shNnyxJJzgS4Web Data.0.dr, RrH4IDSP30NgWeb Data.6.dr, 2kHBDxAhhi3KWeb Data.7.dr, qL6y_Rgj5O8JWeb Data.6.dr, 3qNuz288nQzDWeb Data.0.dr, gugQbi9O3xzDWeb Data.6.dr, iHUkxIgCDKKqWeb Data.7.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 88Oj06xDol.exe, 00000000.00000003.2050179158.0000000003B35000.00000004.00000020.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000003.2045387985.00000000039D2000.00000004.00000020.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000003.2044307649.00000000039C2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2076408704.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2067475531.00000000039C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2070914367.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2069385144.00000000039C3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2078801049.0000000003A9B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2071696928.0000000003AA8000.00000004.00000020.00020000.00000000.sdmp, eRGwV_IcS_seWeb Data.0.dr, B_vahqgwyr8GWeb Data.7.dr, shNnyxJJzgS4Web Data.0.dr, RrH4IDSP30NgWeb Data.6.dr, 2kHBDxAhhi3KWeb Data.7.dr, qL6y_Rgj5O8JWeb Data.6.dr, 3qNuz288nQzDWeb Data.0.dr, gugQbi9O3xzDWeb Data.6.dr, iHUkxIgCDKKqWeb Data.7.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RageMP131.exe, 00000008.00000002.2312752937.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2241298350.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: MPGPH131.exe, 00000006.00000002.2315642178.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2315777571.0000000000E0E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2315777571.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2312752937.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2241298350.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=102.165.48.43
Source: RageMP131.exe, 00000008.00000002.2312752937.0000000000C48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=102.165.48.43$
Source: 88Oj06xDol.exe, 00000000.00000002.2312341141.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=102.165.48.436
Source: RageMP131.exe, 00000012.00000002.2241298350.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=102.165.48.438
Source: RageMP131.exe, 00000008.00000002.2312752937.0000000000C48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=102.165.48.43m
Source: MPGPH131.exe, 00000007.00000002.2315777571.0000000000E28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=102.165.48.43x
Source: RageMP131.exe, 00000008.00000002.2312752937.0000000000C48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/zRp
Source: 88Oj06xDol.exe, 00000000.00000002.2312341141.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2315642178.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2312752937.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=102.165.48.43
Source: MPGPH131.exe, 00000007.00000002.2315777571.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2241298350.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=102.165.48.43P
Source: 88Oj06xDol.exe, 00000000.00000003.2050179158.0000000003B35000.00000004.00000020.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000003.2045387985.00000000039D2000.00000004.00000020.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000003.2044307649.00000000039C2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2076408704.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2067475531.00000000039C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2070914367.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2069385144.00000000039C3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2078801049.0000000003A9B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2071696928.0000000003AA8000.00000004.00000020.00020000.00000000.sdmp, eRGwV_IcS_seWeb Data.0.dr, B_vahqgwyr8GWeb Data.7.dr, shNnyxJJzgS4Web Data.0.dr, RrH4IDSP30NgWeb Data.6.dr, 2kHBDxAhhi3KWeb Data.7.dr, qL6y_Rgj5O8JWeb Data.6.dr, 3qNuz288nQzDWeb Data.0.dr, gugQbi9O3xzDWeb Data.6.dr, iHUkxIgCDKKqWeb Data.7.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 88Oj06xDol.exe, 00000000.00000003.2050179158.0000000003B35000.00000004.00000020.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000003.2045387985.00000000039D2000.00000004.00000020.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000003.2044307649.00000000039C2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2076408704.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2067475531.00000000039C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2070914367.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2069385144.00000000039C3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2078801049.0000000003A9B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2071696928.0000000003AA8000.00000004.00000020.00020000.00000000.sdmp, eRGwV_IcS_seWeb Data.0.dr, B_vahqgwyr8GWeb Data.7.dr, shNnyxJJzgS4Web Data.0.dr, RrH4IDSP30NgWeb Data.6.dr, 2kHBDxAhhi3KWeb Data.7.dr, qL6y_Rgj5O8JWeb Data.6.dr, 3qNuz288nQzDWeb Data.0.dr, gugQbi9O3xzDWeb Data.6.dr, iHUkxIgCDKKqWeb Data.7.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 88Oj06xDol.exe, 00000000.00000003.2050179158.0000000003B35000.00000004.00000020.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000003.2045387985.00000000039D2000.00000004.00000020.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000003.2044307649.00000000039C2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2076408704.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2067475531.00000000039C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2070914367.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2069385144.00000000039C3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2078801049.0000000003A9B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2071696928.0000000003AA8000.00000004.00000020.00020000.00000000.sdmp, eRGwV_IcS_seWeb Data.0.dr, B_vahqgwyr8GWeb Data.7.dr, shNnyxJJzgS4Web Data.0.dr, RrH4IDSP30NgWeb Data.6.dr, 2kHBDxAhhi3KWeb Data.7.dr, qL6y_Rgj5O8JWeb Data.6.dr, 3qNuz288nQzDWeb Data.0.dr, gugQbi9O3xzDWeb Data.6.dr, iHUkxIgCDKKqWeb Data.7.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RageMP131.exe, 00000012.00000002.2241298350.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: RageMP131.exe, 00000012.00000002.2241298350.0000000000D78000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/=89
Source: MPGPH131.exe, 00000007.00000002.2315777571.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/C
Source: 88Oj06xDol.exe, 00000000.00000002.2312341141.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2315642178.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2315777571.0000000000E0E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2312752937.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2241298350.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: MPGPH131.exe, 00000006.00000002.2315642178.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/T)
Source: 88Oj06xDol.exe, 00000000.00000002.2313076081.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000002.2311841381.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 88Oj06xDol.exe, 00000000.00000003.1961677879.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2316436786.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1993156461.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2314558183.0000000000400000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2314756370.0000000000400000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.1993272283.0000000002A60000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2316554026.0000000002920000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2313787279.0000000002920000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2068558033.0000000002A60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2312310407.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2240865237.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000003.2160884328.0000000002A90000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2241729460.0000000002950000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 00000006.00000002.2315642178.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/p
Source: 88Oj06xDol.exe, 00000000.00000002.2312341141.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000002.2312341141.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2315642178.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2315777571.0000000000E0E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2315777571.0000000000DE2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2312752937.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2312752937.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2241298350.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2241298350.0000000000D92000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/102.165.48.43
Source: MPGPH131.exe, 00000007.00000002.2315777571.0000000000DE2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/102.165.48.43/
Source: MPGPH131.exe, 00000006.00000002.2315642178.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/102.165.48.439
Source: 88Oj06xDol.exe, 00000000.00000002.2312341141.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/102.165.48.43cn
Source: RageMP131.exe, 00000012.00000002.2241298350.0000000000D92000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/102.165.48.43m
Source: RageMP131.exe, 00000008.00000002.2312752937.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2241298350.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/102.165.48.43
Source: MPGPH131.exe, 00000007.00000002.2315777571.0000000000E0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/102.165.48.430
Source: 88Oj06xDol.exe, 00000000.00000002.2312341141.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/102.165.48.43H
Source: MPGPH131.exe, 00000006.00000002.2315642178.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/102.165.48.43x
Source: D87fZN3R3jFeplaces.sqlite.7.dr String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.7.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.7.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: MPGPH131.exe, 00000006.00000002.2315642178.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.59M
Source: RageMP131.exe, 00000012.00000002.2241298350.0000000000D78000.00000004.00000020.00020000.00000000.sdmp, cXsJJz24BctXuTWSoaCRfcx.zip.7.dr, a_iqRIngCQdFvZnFgfEPZYy.zip.0.dr, 58Ob04x3bvi6kXoEQuoxoDl.zip.6.dr String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000007.00000003.2130340101.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2316164450.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT$
Source: MPGPH131.exe, 00000007.00000003.2130340101.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2316164450.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT7
Source: MPGPH131.exe, 00000006.00000003.2087888478.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2316072862.0000000000D47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT;
Source: 88Oj06xDol.exe, 00000000.00000002.2314400932.0000000003A98000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTON??
Source: 88Oj06xDol.exe, 00000000.00000002.2312341141.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTm
Source: 88Oj06xDol.exe, 00000000.00000003.2063825636.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000002.2312568223.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTv
Source: RageMP131.exe, 00000012.00000002.2241298350.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2241298350.0000000000E23000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.7.dr, passwords.txt.0.dr, passwords.txt.6.dr String found in binary or memory: https://t.me/risepro_bot
Source: RageMP131.exe, 00000012.00000002.2241298350.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botU
Source: RageMP131.exe, 00000008.00000002.2312752937.0000000000C48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botamadka.y
Source: MPGPH131.exe, 00000007.00000002.2315777571.0000000000E28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botu
Source: RageMP131.exe, 00000008.00000002.2312752937.0000000000C48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botuo
Source: MPGPH131.exe, 00000006.00000002.2315642178.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2315777571.0000000000E28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botxeka
Source: 88Oj06xDol.exe, 00000000.00000002.2312341141.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botxeka.exeF
Source: RageMP131.exe, 00000008.00000002.2312752937.0000000000C48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/riseprou
Source: 88Oj06xDol.exe, 00000000.00000003.2050179158.0000000003B35000.00000004.00000020.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000003.2045387985.00000000039D2000.00000004.00000020.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000003.2044307649.00000000039C2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2076408704.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2067475531.00000000039C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2070914367.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2069385144.00000000039C3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2078801049.0000000003A9B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2071696928.0000000003AA8000.00000004.00000020.00020000.00000000.sdmp, eRGwV_IcS_seWeb Data.0.dr, B_vahqgwyr8GWeb Data.7.dr, shNnyxJJzgS4Web Data.0.dr, RrH4IDSP30NgWeb Data.6.dr, 2kHBDxAhhi3KWeb Data.7.dr, qL6y_Rgj5O8JWeb Data.6.dr, 3qNuz288nQzDWeb Data.0.dr, gugQbi9O3xzDWeb Data.6.dr, iHUkxIgCDKKqWeb Data.7.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: 88Oj06xDol.exe, 00000000.00000003.2050179158.0000000003B35000.00000004.00000020.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000003.2045387985.00000000039D2000.00000004.00000020.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000003.2044307649.00000000039C2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2076408704.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2067475531.00000000039C6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2070914367.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2069385144.00000000039C3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2078801049.0000000003A9B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2071696928.0000000003AA8000.00000004.00000020.00020000.00000000.sdmp, eRGwV_IcS_seWeb Data.0.dr, B_vahqgwyr8GWeb Data.7.dr, shNnyxJJzgS4Web Data.0.dr, RrH4IDSP30NgWeb Data.6.dr, 2kHBDxAhhi3KWeb Data.7.dr, qL6y_Rgj5O8JWeb Data.6.dr, 3qNuz288nQzDWeb Data.0.dr, gugQbi9O3xzDWeb Data.6.dr, iHUkxIgCDKKqWeb Data.7.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 88Oj06xDol.exe, MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: D87fZN3R3jFeplaces.sqlite.7.dr String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.7.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: D87fZN3R3jFeplaces.sqlite.7.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: 88Oj06xDol.exe, 00000000.00000002.2312341141.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2087888478.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2316072862.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2081703775.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2077208026.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2088086118.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2072643913.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2079331893.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2074558128.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2073667890.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2076158142.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2082139691.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2130340101.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2316164450.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: MPGPH131.exe, 00000007.00000003.2081703775.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2077208026.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2088086118.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2072643913.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2079331893.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2074558128.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2073667890.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2076158142.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2082139691.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2130340101.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2316164450.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/$
Source: MPGPH131.exe, 00000006.00000003.2087888478.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2316072862.0000000000D47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/3
Source: 88Oj06xDol.exe, 00000000.00000002.2314176327.00000000039A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2317240793.00000000039AA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2317275537.00000000039AA000.00000004.00000020.00020000.00000000.sdmp, D87fZN3R3jFeplaces.sqlite.6.dr, 3b6N2Xdh3CYwplaces.sqlite.6.dr, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr, 3b6N2Xdh3CYwplaces.sqlite.7.dr, D87fZN3R3jFeplaces.sqlite.7.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: D87fZN3R3jFeplaces.sqlite.7.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 88Oj06xDol.exe, 00000000.00000002.2314176327.00000000039A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2317240793.00000000039AA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2317275537.00000000039AA000.00000004.00000020.00020000.00000000.sdmp, D87fZN3R3jFeplaces.sqlite.6.dr, 3b6N2Xdh3CYwplaces.sqlite.6.dr, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr, 3b6N2Xdh3CYwplaces.sqlite.7.dr, D87fZN3R3jFeplaces.sqlite.7.dr String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 88Oj06xDol.exe, 00000000.00000002.2312341141.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2087888478.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2316072862.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2081703775.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2077208026.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2088086118.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2072643913.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2079331893.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2074558128.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2073667890.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2076158142.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2082139691.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2130340101.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2316164450.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: MPGPH131.exe, 00000006.00000003.2087888478.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2316072862.0000000000D47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/ata
Source: 88Oj06xDol.exe, 00000000.00000002.2312341141.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/atata
Source: 88Oj06xDol.exe, 00000000.00000002.2314176327.00000000039A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2317240793.00000000039AA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2317275537.00000000039AA000.00000004.00000020.00020000.00000000.sdmp, D87fZN3R3jFeplaces.sqlite.6.dr, 3b6N2Xdh3CYwplaces.sqlite.6.dr, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr, 3b6N2Xdh3CYwplaces.sqlite.7.dr, D87fZN3R3jFeplaces.sqlite.7.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: MPGPH131.exe, 00000007.00000003.2130340101.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2316164450.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/in
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49728 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49729 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0040AAF0 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown, 0_2_0040AAF0

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000007.00000002.2316400786.0000000002766000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.2316436786.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2313076081.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000006.00000002.2316323238.0000000002803000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000002.2313315537.00000000026B3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000012.00000002.2241600409.0000000002716000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000012.00000002.2241729460.0000000002950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000007.00000002.2316554026.0000000002920000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.2313787279.0000000002920000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2312937613.00000000027D3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00420060 0_2_00420060
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0045E160 0_2_0045E160
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004421C0 0_2_004421C0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00440260 0_2_00440260
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0048E350 0_2_0048E350
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00456320 0_2_00456320
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004485E0 0_2_004485E0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00458670 0_2_00458670
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00422700 0_2_00422700
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004EA73D 0_2_004EA73D
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0043A7A0 0_2_0043A7A0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004569A0 0_2_004569A0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00436A00 0_2_00436A00
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00430AE0 0_2_00430AE0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004CCB60 0_2_004CCB60
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00434B00 0_2_00434B00
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0043CB80 0_2_0043CB80
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0048F040 0_2_0048F040
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004250B0 0_2_004250B0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00431250 0_2_00431250
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004612C0 0_2_004612C0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0042B470 0_2_0042B470
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0043D4D0 0_2_0043D4D0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00417630 0_2_00417630
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004156D0 0_2_004156D0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463732 0_2_00463732
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00427A00 0_2_00427A00
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0043BBC0 0_2_0043BBC0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0042DBB0 0_2_0042DBB0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0040DC50 0_2_0040DC50
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00437C50 0_2_00437C50
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004DBC20 0_2_004DBC20
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00423DA0 0_2_00423DA0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0048DDB0 0_2_0048DDB0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00429E50 0_2_00429E50
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0043BE50 0_2_0043BE50
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463E84 0_2_00463E84
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00441FA0 0_2_00441FA0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004D20C0 0_2_004D20C0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004960E0 0_2_004960E0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004900AF 0_2_004900AF
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004F81A4 0_2_004F81A4
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0045A219 0_2_0045A219
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0045E2C8 0_2_0045E2C8
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00440318 0_2_00440318
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00486390 0_2_00486390
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0044A3A8 0_2_0044A3A8
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0044E3B0 0_2_0044E3B0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004924D0 0_2_004924D0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004024F0 0_2_004024F0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00430530 0_2_00430530
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004605C8 0_2_004605C8
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004325E4 0_2_004325E4
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0044A5F9 0_2_0044A5F9
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004146F0 0_2_004146F0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00460748 0_2_00460748
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0045E779 0_2_0045E779
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004CE830 0_2_004CE830
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004888F0 0_2_004888F0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004A0930 0_2_004A0930
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0045A9C8 0_2_0045A9C8
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0042E9D9 0_2_0042E9D9
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0043A9E9 0_2_0043A9E9
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0044A9F9 0_2_0044A9F9
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00484990 0_2_00484990
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0049C9A0 0_2_0049C9A0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004EAA7F 0_2_004EAA7F
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00492AB0 0_2_00492AB0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0048EB70 0_2_0048EB70
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00474B30 0_2_00474B30
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00436C64 0_2_00436C64
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00484D20 0_2_00484D20
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0048EE10 0_2_0048EE10
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00458E19 0_2_00458E19
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00422E98 0_2_00422E98
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00458F79 0_2_00458F79
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004FEF22 0_2_004FEF22
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00426FF7 0_2_00426FF7
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004E7070 0_2_004E7070
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004E5038 0_2_004E5038
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004370E8 0_2_004370E8
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004890B0 0_2_004890B0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004A5197 0_2_004A5197
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0042D208 0_2_0042D208
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00481220 0_2_00481220
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004452C0 0_2_004452C0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00427289 0_2_00427289
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004852B0 0_2_004852B0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004B7330 0_2_004B7330
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0045F3E7 0_2_0045F3E7
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004BD380 0_2_004BD380
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004434B7 0_2_004434B7
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0042D4B8 0_2_0042D4B8
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004C1530 0_2_004C1530
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0048B5C0 0_2_0048B5C0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0042D5A8 0_2_0042D5A8
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00491630 0_2_00491630
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00459639 0_2_00459639
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004196C0 0_2_004196C0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0044B750 0_2_0044B750
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004D57E0 0_2_004D57E0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00483790 0_2_00483790
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004E18B0 0_2_004E18B0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00449900 0_2_00449900
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004D1900 0_2_004D1900
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0048DA00 0_2_0048DA00
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00489AC2 0_2_00489AC2
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0045BBD0 0_2_0045BBD0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00495C10 0_2_00495C10
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00485CE0 0_2_00485CE0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0049BCF0 0_2_0049BCF0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0042BD78 0_2_0042BD78
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00420060 6_2_00420060
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0045E160 6_2_0045E160
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004421C0 6_2_004421C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00440260 6_2_00440260
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0048E350 6_2_0048E350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00456320 6_2_00456320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004485E0 6_2_004485E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00458670 6_2_00458670
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00422700 6_2_00422700
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004EA73D 6_2_004EA73D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0043A7A0 6_2_0043A7A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004569A0 6_2_004569A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00436A00 6_2_00436A00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00430AE0 6_2_00430AE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004CCB60 6_2_004CCB60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00434B00 6_2_00434B00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0043CB80 6_2_0043CB80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0048F040 6_2_0048F040
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004250B0 6_2_004250B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00431250 6_2_00431250
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004612C0 6_2_004612C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004B7330 6_2_004B7330
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0042B470 6_2_0042B470
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0043D4D0 6_2_0043D4D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00417630 6_2_00417630
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463732 6_2_00463732
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00427A00 6_2_00427A00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0043BBC0 6_2_0043BBC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0042DBB0 6_2_0042DBB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0040DC50 6_2_0040DC50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00437C50 6_2_00437C50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004DBC20 6_2_004DBC20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00423DA0 6_2_00423DA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0048DDB0 6_2_0048DDB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00429E50 6_2_00429E50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0043BE50 6_2_0043BE50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463E84 6_2_00463E84
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00441FA0 6_2_00441FA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004D20C0 6_2_004D20C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004960E0 6_2_004960E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004900AF 6_2_004900AF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004F81A4 6_2_004F81A4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0045A219 6_2_0045A219
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0045E2C8 6_2_0045E2C8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00440318 6_2_00440318
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00486390 6_2_00486390
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0044A3A8 6_2_0044A3A8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0044E3B0 6_2_0044E3B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004924D0 6_2_004924D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004024F0 6_2_004024F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00430530 6_2_00430530
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004605C8 6_2_004605C8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004325E4 6_2_004325E4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0044A5F9 6_2_0044A5F9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004146F0 6_2_004146F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00460748 6_2_00460748
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0045E779 6_2_0045E779
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004CE830 6_2_004CE830
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004888F0 6_2_004888F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004A0930 6_2_004A0930
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0045A9C8 6_2_0045A9C8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0042E9D9 6_2_0042E9D9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0043A9E9 6_2_0043A9E9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0044A9F9 6_2_0044A9F9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00484990 6_2_00484990
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0049C9A0 6_2_0049C9A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004EAA7F 6_2_004EAA7F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00492AB0 6_2_00492AB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0048EB70 6_2_0048EB70
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00474B30 6_2_00474B30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00436C64 6_2_00436C64
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00484D20 6_2_00484D20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0048EE10 6_2_0048EE10
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00458E19 6_2_00458E19
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00422E98 6_2_00422E98
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00458F79 6_2_00458F79
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004FEF22 6_2_004FEF22
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00426FF7 6_2_00426FF7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004E7070 6_2_004E7070
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004E5038 6_2_004E5038
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004370E8 6_2_004370E8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004890B0 6_2_004890B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004A5197 6_2_004A5197
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0042D208 6_2_0042D208
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00481220 6_2_00481220
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004452C0 6_2_004452C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00427289 6_2_00427289
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004852B0 6_2_004852B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0045F3E7 6_2_0045F3E7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004BD380 6_2_004BD380
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004434B7 6_2_004434B7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0042D4B8 6_2_0042D4B8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004C1530 6_2_004C1530
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0048B5C0 6_2_0048B5C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0042D5A8 6_2_0042D5A8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00491630 6_2_00491630
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00459639 6_2_00459639
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004196C0 6_2_004196C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004156D0 6_2_004156D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0044B750 6_2_0044B750
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004D57E0 6_2_004D57E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00483790 6_2_00483790
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004E18B0 6_2_004E18B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00449900 6_2_00449900
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004D1900 6_2_004D1900
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0048DA00 6_2_0048DA00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00489AC2 6_2_00489AC2
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0045BBD0 6_2_0045BBD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00495C10 6_2_00495C10
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00485CE0 6_2_00485CE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0049BCF0 6_2_0049BCF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0042BD78 6_2_0042BD78
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0042DD06 6_2_0042DD06
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0045FDE8 6_2_0045FDE8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00491DF0 6_2_00491DF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0042DD88 6_2_0042DD88
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00487E10 6_2_00487E10
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00437EE7 6_2_00437EE7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00431F88 6_2_00431F88
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004D3FB0 6_2_004D3FB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0299529F 6_2_0299529F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0293F2A7 6_2_0293F2A7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_029972D7 6_2_029972D7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_02984217 6_2_02984217
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_028D725E 6_2_028D725E
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_028D5317 6_2_028D5317
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_02982327 6_2_02982327
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_028D30FF 6_2_028D30FF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_028D4007 6_2_028D4007
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_02942057 6_2_02942057
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0293F077 6_2_0293F077
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_02938077 6_2_02938077
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: String function: 0046E350 appears 41 times
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: String function: 00491C30 appears 112 times
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: String function: 004DEAB0 appears 54 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 0046E350 appears 42 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 00491C30 appears 118 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 004DEAB0 appears 60 times
One or more processes crash
Source: C:\Users\user\Desktop\88Oj06xDol.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 1816
Sample file is different than original file name gathered from version info
Source: 88Oj06xDol.exe Binary or memory string: OriginalFilename vs 88Oj06xDol.exe
Source: 88Oj06xDol.exe, 00000000.00000003.1990641225.0000000000C1C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWell2 vs 88Oj06xDol.exe
Source: 88Oj06xDol.exe, 00000000.00000002.2313076081.00000000028C0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs 88Oj06xDol.exe
Source: 88Oj06xDol.exe, 00000000.00000003.2094026594.0000000002AC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWell2 vs 88Oj06xDol.exe
Source: 88Oj06xDol.exe, 00000000.00000002.2311841381.0000000000400000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs 88Oj06xDol.exe
Source: 88Oj06xDol.exe, 00000000.00000003.1961677879.0000000002A00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs 88Oj06xDol.exe
Source: 88Oj06xDol.exe, 00000000.00000002.2312239191.0000000000B70000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameWell2 vs 88Oj06xDol.exe
Source: 88Oj06xDol.exe Binary or memory string: OriginalFilenameWell2 vs 88Oj06xDol.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Uses 32bit PE files
Source: 88Oj06xDol.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000007.00000002.2316400786.0000000002766000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.2316436786.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2313076081.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000006.00000002.2316323238.0000000002803000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000002.2313315537.00000000026B3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000012.00000002.2241600409.0000000002716000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000012.00000002.2241729460.0000000002950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000007.00000002.2316554026.0000000002920000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.2313787279.0000000002920000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2312937613.00000000027D3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@15/88@2/3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00493F80 GetLastError,GetVersionExA,FormatMessageW,LocalFree,FormatMessageA, 6_2_00493F80
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004938A0 GetVersionExA,CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA, 0_2_004938A0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0040BF30 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0040BF30
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004146F0 CoInitializeEx,CoCreateInstance,RegCreateKeyExA,RegCreateKeyExA,RegCreateKeyExA,RegCreateKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegCreateKeyExA,CoUninitialize, 0_2_004146F0
Source: C:\Users\user\Desktop\88Oj06xDol.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2748:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1816
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6632:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2792
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2584
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4448
Source: C:\Users\user\Desktop\88Oj06xDol.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: 88Oj06xDol.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\88Oj06xDol.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 88Oj06xDol.exe, 88Oj06xDol.exe, 00000000.00000002.2313076081.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000002.2311841381.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 88Oj06xDol.exe, 00000000.00000003.1961677879.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2316436786.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1993156461.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2314558183.0000000000400000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2314756370.0000000000400000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.1993272283.0000000002A60000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2316554026.0000000002920000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2313787279.0000000002920000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 88Oj06xDol.exe, 00000000.00000002.2313076081.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000002.2311841381.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 88Oj06xDol.exe, 00000000.00000003.1961677879.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2316436786.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1993156461.0000000002A00000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2314558183.0000000000400000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2314756370.0000000000400000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.1993272283.0000000002A60000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2316554026.0000000002920000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2313787279.0000000002920000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 88Oj06xDol.exe, 00000000.00000003.2043355540.00000000039B0000.00000004.00000020.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000003.2052109955.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, 88Oj06xDol.exe, 00000000.00000003.2051913774.0000000000CB4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2066241200.00000000039B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2081703775.0000000000EAF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2065635807.00000000039B0000.00000004.00000020.00020000.00000000.sdmp, 6OJnmNBDXxGvLogin Data For Account.0.dr, l6xghxzbqyRrLogin Data.0.dr, BPPb8A_Hh3BCLogin Data.0.dr, CSZ5vMWomTYkLogin Data For Account.7.dr, 6VR768BwGZLWLogin Data.7.dr, 1YG4CXpV7Tc7Login Data For Account.6.dr, dG03QTd5iBxQLogin Data.6.dr, lxk6__g04pxKLogin Data.7.dr, DqFc2zfDky3PLogin Data.6.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 88Oj06xDol.exe ReversingLabs: Detection: 45%
Source: 88Oj06xDol.exe Virustotal: Detection: 47%
Source: 88Oj06xDol.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\88Oj06xDol.exe File read: C:\Users\user\Desktop\88Oj06xDol.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\88Oj06xDol.exe "C:\Users\user\Desktop\88Oj06xDol.exe"
Source: C:\Users\user\Desktop\88Oj06xDol.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\88Oj06xDol.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\88Oj06xDol.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 1816
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1848
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 1768
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 1608
Source: C:\Users\user\Desktop\88Oj06xDol.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: 88Oj06xDol.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\momivu\letipuwaki82\dopahadiha32\jocul.pdb source: 88Oj06xDol.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr
Source: Binary string: E(C:\momivu\letipuwaki82\dopahadiha32\jocul.pdb source: 88Oj06xDol.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\88Oj06xDol.exe Unpacked PE file: 0.2.88Oj06xDol.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 6.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 7.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 8.2.RageMP131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 18.2.RageMP131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\88Oj06xDol.exe Unpacked PE file: 0.2.88Oj06xDol.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 6.2.MPGPH131.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 7.2.MPGPH131.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 8.2.RageMP131.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 18.2.RageMP131.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0043BBC0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 0_2_0043BBC0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004DE689 push ecx; ret 0_2_004DE69C
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004B8AFE push ds; retn 0000h 0_2_004B8AFF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004DE689 push ecx; ret 6_2_004DE69C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004B8AFE push ds; retn 0000h 6_2_004B8AFF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0280643F pushad ; ret 6_2_02806476
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_028056B9 pushad ; iretd 6_2_028056CF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_02809AFB push 00000021h; retf 6_2_02809AFD
Drops PE files
Source: C:\Users\user\Desktop\88Oj06xDol.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\Desktop\88Oj06xDol.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\88Oj06xDol.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\88Oj06xDol.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\88Oj06xDol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00484D20 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00484D20
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Country aware sample found (crashes after keyboard check)
Source: c:\users\user\desktop\88oj06xdol.exe Event Logs and Signature results: Application crash and keyboard check
Found API chain indicative of sandbox detection
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Sandbox detection routine: GetCursorPos, DecisionNode, Sleep
Source: C:\Users\user\Desktop\88Oj06xDol.exe Sandbox detection routine: GetCursorPos, DecisionNode, Sleep
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Users\user\Desktop\88Oj06xDol.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\88Oj06xDol.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Stalling execution: Execution stalls by calling Sleep
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos, 0_2_00463320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos, 6_2_00463320
Found evaded block containing many API calls
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Evaded block: after key decision
Found evasive API chain (date check)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\88Oj06xDol.exe TID: 1492 Thread sleep count: 77 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1776 Thread sleep count: 34 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00467900 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 00467910h country: Upper Sorbian (hsb) 0_2_00467900
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00467900 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 00467910h country: Upper Sorbian (hsb) 6_2_00467900
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00493E00 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 00493E51h 6_2_00493E00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_02944067 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 029440B8h 6_2_02944067
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00420060 FindFirstFileA,FindNextFileA,GetLastError,FindClose,SHGetFolderPathA, 0_2_00420060
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0040A160 GetFileAttributesA,GetLastError,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error, 0_2_0040A160
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004DC7AB FindClose,FindFirstFileExW,GetLastError, 0_2_004DC7AB
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0043D4D0 SHGetFolderPathA,GetLastError,GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CopyFileA,GetFileAttributesA,GetLastError,CreateDirectoryA,CopyFileA,CopyFileA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_0043D4D0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0040DC50 CreateDirectoryA,CreateDirectoryA,FindFirstFileA,GetLastError,GetFileAttributesA,GetLastError,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,SHGetFolderPathA,GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,GetLastError,GetLastError,GetLastError,CreateDirectoryA,GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,CreateDirectoryA,GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,CreateDirectoryA,GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_0040DC50
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004FA34D FindFirstFileExW, 0_2_004FA34D
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004DC831 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 0_2_004DC831
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0043D848 FindFirstFileA,FindNextFileA, 0_2_0043D848
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00420060 FindFirstFileA,FindNextFileA,GetLastError,FindClose,SHGetFolderPathA, 6_2_00420060
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0040A160 GetFileAttributesA,GetLastError,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error, 6_2_0040A160
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004DC7AB FindClose,FindFirstFileExW,GetLastError, 6_2_004DC7AB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0043D4D0 SHGetFolderPathA,GetLastError,GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CopyFileA,GetFileAttributesA,GetLastError,CreateDirectoryA,CopyFileA,CopyFileA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 6_2_0043D4D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0040DC50 CreateDirectoryA,CreateDirectoryA,FindFirstFileA,GetLastError,GetFileAttributesA,GetLastError,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,SHGetFolderPathA,GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,GetLastError,GetLastError,GetLastError,CreateDirectoryA,GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,CreateDirectoryA,GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,CreateDirectoryA,GetFileAttributesA,GetLastError,GetFileAttributesA,GetLastError,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 6_2_0040DC50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004FA34D FindFirstFileExW, 6_2_004FA34D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004DC831 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 6_2_004DC831
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0043D848 FindFirstFileA,FindNextFileA, 6_2_0043D848
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0040BF30 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0040BF30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Windows\SysWOW64\IMM32.DLL Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Windows\SysWOW64\ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Windows\SysWOW64\oleaut32.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Windows\SysWOW64\msimg32.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097\gdiplus.dll Jump to behavior
Source: MPGPH131.exe, 00000006.00000003.2080544213.00000000039BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: formVMware20,11696428655
Source: MPGPH131.exe, 00000006.00000003.2080544213.00000000039BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ccount.microsoft.com/profileVMware20,11696428655u
Source: MPGPH131.exe, 00000007.00000002.2317451504.0000000003AA8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: k&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}30QHU069178eGNei1kuTiEQW4lATGzSgf0YIdWHmyXMDhNVbyCNGKnAhYA5oJ6Zh5UaA2CTa3RJ0jzQ/I9UYzC2iZx1qHJh4yOmUJ7fjE1i8DvD4LezGdoj69evdnN2ukuafTVy0J+jPwfE7StEqBlYC+Nhih4o7mErHjO9pVQLi9VadzN5lZYAbmDJ3x//7YMV1A9H6U68MCOI6HPlOFYLWlA1x+GO2RxmipIl8vRk9DmOmqrDZ5LnYPIdCiJJ8FZiZxH8Jrad6rG4nRYytSxSJBkzka+Yuuyy+n6iD85C5EcnldpeAF8T7Z9pNqUI0IUz1CUgTiWvDbZ71mufK9F7v9Aw8A9udEkBiUcNNkVPbbOMPgTcJVUSasf+YCR74BVuagBVZW7tyFIn9u6z8ooXXCcsZGGUvDmJJs8ShU/cSJl4qf3797cfHjL9o71IOZYokCWomaV4aLLLlAiJQdNaRhQwqH4P6LOXdSQYaKDuEmaGn1yvq/8ImT2BpaA7+ZiQaVWBxTwq4L4dKam5kW5AzQ1A01eD5+q+rh3rdjb4+wG9Y7a2aXbYUQC2Vl2BmoMxqrTLccglr+rb/ibN4qXi+X3z9XBYz04U1N12cg0xyBPjLgh26I967loAnw5emqEQuetYVIRonuwqaqzZCEPXhc7dO1Ary3iAlUESIPkGOMR0a4ZqSkXiBIfquvX31bvq2cYroswwWTaYWRviUnDE7XuFZbWbkix+uh5kedwGlqWp1LvaFJv75wEDSeZnmq5q8NcQjtl9ZOwQ+uiAjl7h+a6Hd1mh7YWFYElUVx38uakPgRh3/EqR5QXkkSvgIdjQk6ZOtcD
Source: MPGPH131.exe, 00000006.00000003.2080544213.00000000039BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696
Source: MPGPH131.exe, 00000007.00000003.2086550919.0000000003AAF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .comVMware20,11696428
Source: MPGPH131.exe, 00000006.00000003.2080544213.00000000039BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r global passwords blocklistVMware20,11696428655
Source: MPGPH131.exe, 00000006.00000003.2080544213.00000000039BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware20,11696428655
Source: RageMP131.exe, 00000008.00000002.2312752937.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: MPGPH131.exe, 00000007.00000002.2315777571.0000000000E28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_539CCBACl
Source: Amcache.hve.11.dr Binary or memory string: vmci.sys
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000003.2086550919.0000000003AAF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ebrokers.co.inVMware20,11696428655d
Source: MPGPH131.exe, 00000006.00000002.2317240793.00000000039C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}1ji385:438026,i1g2g604:437359,9ffeg962:402950,e37a0582:438880,cf:403575,3da3b319:434919,d68dd294:435290,web-select-unship:450753,8j079527:448887,i2e7g608:426901,6h1eh131:441212,e92c6808:416905,10ad8400:434605,9d4ca945:415901,identifydb:415105,walletpswlinkupdate:438029,ijd96734:409016,1c484819:413463,0188i430:410947,74g97287:426089,3cej0868:387697,bi4f4994:450434,j4d0f649:415920,be37a759:398467,9cc60973:411866,downarrowscrollwithtriggernew:379502,nonfloatingwithouttoggle:430356,f7bdg612:421301,d78jg254:440485,60a06606:446395,e8455899:433611,ed254:256435,a5g3j174:427088,domexpansion_v1:408272,sidepanecashbackclickv1:392715,ed429:371711,savingsyesui:360239,0iie5378:378326,j3jdi477:407165,g9744299:382390,0ce12802:395899,ed0317:378541,e5097847:376095,d699f664:417781,v1_newnotificationsettingsu:371743,13gjf650:361709,2chfa640:363442,edse218:361564,i5ceh755:348150,pcproductbyregexenus:345020,2ae48381:440529,i4d2e897:416850,0cdi8526:390116,158hf900:358403,edpas404:384675,followablewebwpo:339322,1ebea465:393468,72dhd990:347218,b5691989:400307,v11_aocgroups2and3:393492,d8ej1711:320853,edtok960:350910,deepeelogging1:296539,etreeapiv15:300838,hjd07315:315108,6fh95461:311640,gserpas:292001,edenh823:312573,i8id9958:449025,923e2685:283690,2fche262:263263,v1_onlineselextraction:330872,externalmidrange3:261503,htmlfragmentcollectionv1:285601,edklo447:358232,designershoreline-215:384841,edweb468:191638,ed672:193569,linkui:417512,ededg840:189491\",\"EdgeConfig\":\"P-R-1141099-1-3,P-R-1136586-1-6,P-R-1136203-1-4,P-R-1133477-1-4,P-R-1132367-1-7,P-R-1132544-1-6,P-R-1132175-1-3,P-R-1130507-1-5,P-R-1113531-4-9,P-R-1108562-1-7,P-R-1103742-4-6,P-R-1099640-1-4,P-R-1098501-1-7,P-R-1095721-1-7,P-R-1090419-1-5,P-R-1082109-1-6,P-R-1082170-11-25,P-R-1080066-1-13,P-R-1077170-1-3,P-R-1060324-1-5,P-R-1052391-1-8,P-R-1039913-1-16,P-R-1036635-2-5,P9
Source: Amcache.hve.11.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: MPGPH131.exe, 00000006.00000003.2080544213.00000000039BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CT name, value FROM autofillmain'.sqlite_masterr global passwords blocklistVMware20,11696428655
Source: Amcache.hve.11.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: MPGPH131.exe, 00000006.00000003.2006547115.0000000000CD1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}p
Source: MPGPH131.exe, 00000006.00000003.2086884149.00000000039C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}1ji385:438026,i1g2g604:437359,9ffeg962:402950,e37a0582:438880,cf:403575,3da3b319:434919,d68dd294:435290,web-select-unship:450753,8j079527:448887,i2e7g608:426901,6h1eh131:441212,e92c6808:416905,10ad8400:434605,9d4ca945:415901,identifydb:415105,walletpswlinkupdate:438029,ijd96734:409016,1c484819:413463,0188i430:410947,74g97287:426089,3cej0868:387697,bi4f4994:450434,j4d0f649:415920,be37a759:398467,9cc60973:411866,downarrowscrollwithtriggernew:379502,nonfloatingwithouttoggle:430356,f7bdg612:421301,d78jg254:440485,60a06606:446395,e8455899:433611,ed254:256435,a5g3j174:427088,domexpansion_v1:408272,sidepanecashbackclickv1:392715,ed429:371711,savingsyesui:360239,0iie5378:378326,j3jdi477:407165,g9744299:382390,0ce12802:395899,ed0317:378541,e5097847:376095,d699f664:417781,v1_newnotificationsettingsu:371743,13gjf650:361709,2chfa640:363442,edse218:361564,i5ceh755:348150,pcproductbyregexenus:345020,2ae48381:440529,i4d2e897:416850,0cdi8526:390116,158hf900:358403,edpas404:384675,followablewebwpo:339322,1ebea465:393468,72dhd990:347218,b5691989:400307,v11_aocgroups2and3:393492,d8ej1711:320853,edtok960:350910,deepeelogging1:296539,etreeapiv15:300838,hjd07315:315108,6fh95461:311640,gserpas:292001,edenh823:312573,i8id9958:449025,923e2685:283690,2fche262:263263,v1_onlineselextraction:330872,externalmidrange3:261503,htmlfragmentcollectionv1:285601,edklo447:358232,designershoreline-215:384841,edweb468:191638,ed672:193569,linkui:417512,ededg840:189491\",\"EdgeConfig\":\"P-R-1141099-1-3,P-R-1136586-1-6,P-R-1136203-1-4,P-R-1133477-1-4,P-R-1132367-1-7,P-R-1132544-1-6,P-R-1132175-1-3,P-R-1130507-1-5,P-R-1113531-4-9,P-R-1108562-1-7,P-R-1103742-4-6,P-R-1099640-1-4,P-R-1098501-1-7,P-R-1095721-1-7,P-R-1090419-1-5,P-R-1082109-1-6,P-R-1082170-11-25,P-R-1080066-1-13,P-R-1077170-1-3,P-R-1060324-1-5,P-R-1052391-1-8,P-R-1039913-1-16,P-R-1036635-2-5,PR
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.11.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: RageMP131.exe, 00000008.00000002.2312752937.0000000000C48000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBnt
Source: 88Oj06xDol.exe, 00000000.00000002.2312341141.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW.s
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual USB Mouse
Source: RageMP131.exe, 00000008.00000002.2312752937.0000000000C29000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: discord.comVMware20,11696428655f
Source: RageMP131.exe, 00000012.00000002.2241298350.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000007.00000003.2086550919.0000000003AAF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,116
Source: Amcache.hve.11.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: MPGPH131.exe, 00000006.00000003.2085757386.00000000039BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CT ne FROM main'.sterr gswords VMware28655
Source: MPGPH131.exe, 00000006.00000003.2080544213.00000000039BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Amcache.hve.11.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 88Oj06xDol.exe, 00000000.00000003.1990641225.0000000000C1C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}>
Source: MPGPH131.exe, 00000006.00000003.2080544213.00000000039BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rootpagecomVMware20,11696428655o
Source: MPGPH131.exe, 00000007.00000003.2086550919.0000000003AAF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s.portal.azure.comVMware20,11696428655
Source: Amcache.hve.11.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: RageMP131.exe, 00000012.00000002.2241298350.0000000000D70000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000l
Source: Amcache.hve.11.dr Binary or memory string: vmci.syshbin`
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: MPGPH131.exe, 00000007.00000002.2315777571.0000000000E28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_539CCBAC
Source: Amcache.hve.11.dr Binary or memory string: \driver\vmci,\driver\pci
Source: MPGPH131.exe, 00000006.00000003.2080544213.00000000039BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pageformVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000002.2315777571.0000000000E28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \?\scsi_vmwaretual_dif219&0&3f563070-94f2-b8b}
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000002.2315777571.0000000000E28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}FilesPSModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
Source: RageMP131.exe, 00000012.00000002.2241298350.0000000000D92000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000s\user\AppData\Local\Temp\h
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: MPGPH131.exe, 00000007.00000003.2086550919.0000000003AAF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: billing_address_id.comVMware20,11696428
Source: Amcache.hve.11.dr Binary or memory string: VMware
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: MPGPH131.exe, 00000006.00000003.2085757386.00000000039BE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware2
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.11.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 88Oj06xDol.exe, 00000000.00000002.2312341141.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2315642178.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2315777571.0000000000E28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2312752937.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2312752937.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2241298350.0000000000DC0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2241298350.0000000000D92000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: RageMP131.exe, 00000012.00000003.2175462233.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000006.00000003.2080544213.00000000039BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: eVMware20,11696428655
Source: Amcache.hve.11.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: MPGPH131.exe, 00000006.00000003.2080544213.00000000039BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,1169642865
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: MPGPH131.exe, 00000007.00000003.2086550919.0000000003AAF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,116968
Source: MPGPH131.exe, 00000006.00000002.2315642178.0000000000CCB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}d
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.11.dr Binary or memory string: VMware20,1
Source: Amcache.hve.11.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.11.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: MPGPH131.exe, 00000007.00000003.2086550919.0000000003AAF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ra Change Transaction PasswordVMware20,11696428655
Source: Amcache.hve.11.dr Binary or memory string: VMware VMCI Bus Device
Source: MPGPH131.exe, 00000006.00000003.2080544213.00000000039BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: o.inVMware20,11696428655~
Source: MPGPH131.exe, 00000007.00000003.2086550919.0000000003AAF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .utiitsl.comVMware20,1169642865(
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.11.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: MPGPH131.exe, 00000007.00000002.2315777571.0000000000DE2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&7
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.11.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.11.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.11.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.11.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: MPGPH131.exe, 00000006.00000003.2080544213.00000000039BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000002.2315777571.0000000000E28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _vmware
Source: MPGPH131.exe, 00000007.00000002.2315777571.0000000000E28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: Amcache.hve.11.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MPGPH131.exe, 00000006.00000003.2080544213.00000000039BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,1168
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: MPGPH131.exe, 00000006.00000003.2080544213.00000000039BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: comVMware20,11696428655o
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 88Oj06xDol.exe, 00000000.00000002.2312341141.0000000000C12000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.11.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: W_rG5uz29mKBWeb Data.7.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: RageMP131.exe, 00000008.00000003.2087345244.0000000000C33000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}k
Source: MPGPH131.exe, 00000006.00000002.2315642178.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&R
Source: MPGPH131.exe, 00000007.00000003.2086550919.0000000003AAF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nickname.utiitsl.comVMware20,1169642865(
Source: MPGPH131.exe, 00000006.00000002.2315642178.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2315777571.0000000000DE2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: Amcache.hve.11.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MPGPH131.exe, 00000006.00000003.2080544213.00000000039BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.11.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: C:\Users\user\Desktop\88Oj06xDol.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00414090 IsDebuggerPresent, 0_2_00414090
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463E84 CreateThread,FindCloseChangeNotification,Sleep,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetCurrentDirectoryA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,shutdown,closesocket,WSACleanup,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep,Sleep,GetModuleHandleA,GetProcAddress,GetCurrentProcess,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,CreateThread,CreateThread,CreateThread,FreeLibrary,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,CloseHandle,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep, 0_2_00463E84
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0043BBC0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 0_2_0043BBC0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0043CB80 mov eax, dword ptr fs:[00000030h] 0_2_0043CB80
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463320 mov eax, dword ptr fs:[00000030h] 0_2_00463320
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463320 mov eax, dword ptr fs:[00000030h] 0_2_00463320
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0041B4D0 mov eax, dword ptr fs:[00000030h] 0_2_0041B4D0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004156D0 mov ecx, dword ptr fs:[00000030h] 0_2_004156D0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463732 mov eax, dword ptr fs:[00000030h] 0_2_00463732
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463732 mov eax, dword ptr fs:[00000030h] 0_2_00463732
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463732 mov eax, dword ptr fs:[00000030h] 0_2_00463732
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463732 mov eax, dword ptr fs:[00000030h] 0_2_00463732
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463E84 mov eax, dword ptr fs:[00000030h] 0_2_00463E84
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463E84 mov ecx, dword ptr fs:[00000030h] 0_2_00463E84
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463E84 mov eax, dword ptr fs:[00000030h] 0_2_00463E84
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463E84 mov eax, dword ptr fs:[00000030h] 0_2_00463E84
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463E84 mov eax, dword ptr fs:[00000030h] 0_2_00463E84
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463E84 mov eax, dword ptr fs:[00000030h] 0_2_00463E84
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463E84 mov eax, dword ptr fs:[00000030h] 0_2_00463E84
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463E84 mov eax, dword ptr fs:[00000030h] 0_2_00463E84
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463E84 mov eax, dword ptr fs:[00000030h] 0_2_00463E84
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463E84 mov eax, dword ptr fs:[00000030h] 0_2_00463E84
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463E84 mov eax, dword ptr fs:[00000030h] 0_2_00463E84
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463E84 mov eax, dword ptr fs:[00000030h] 0_2_00463E84
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463E84 mov eax, dword ptr fs:[00000030h] 0_2_00463E84
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463E84 mov eax, dword ptr fs:[00000030h] 0_2_00463E84
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463E84 mov eax, dword ptr fs:[00000030h] 0_2_00463E84
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463E84 mov eax, dword ptr fs:[00000030h] 0_2_00463E84
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463E84 mov eax, dword ptr fs:[00000030h] 0_2_00463E84
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00463E84 mov eax, dword ptr fs:[00000030h] 0_2_00463E84
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0041B4D0 mov eax, dword ptr fs:[00000030h] 0_2_0041B4D0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00414090 mov eax, dword ptr fs:[00000030h] 0_2_00414090
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0041B4D0 mov eax, dword ptr fs:[00000030h] 0_2_0041B4D0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004646E9 mov eax, dword ptr fs:[00000030h] 0_2_004646E9
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004146F0 mov eax, dword ptr fs:[00000030h] 0_2_004146F0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004146F0 mov eax, dword ptr fs:[00000030h] 0_2_004146F0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004146F0 mov eax, dword ptr fs:[00000030h] 0_2_004146F0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004146F0 mov eax, dword ptr fs:[00000030h] 0_2_004146F0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004146F0 mov eax, dword ptr fs:[00000030h] 0_2_004146F0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004146F0 mov eax, dword ptr fs:[00000030h] 0_2_004146F0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004146F0 mov eax, dword ptr fs:[00000030h] 0_2_004146F0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004146F0 mov eax, dword ptr fs:[00000030h] 0_2_004146F0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004146F0 mov eax, dword ptr fs:[00000030h] 0_2_004146F0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004146F0 mov eax, dword ptr fs:[00000030h] 0_2_004146F0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004146F0 mov eax, dword ptr fs:[00000030h] 0_2_004146F0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004146F0 mov eax, dword ptr fs:[00000030h] 0_2_004146F0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0041B4D0 mov eax, dword ptr fs:[00000030h] 0_2_0041B4D0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0041F3B0 mov eax, dword ptr fs:[00000030h] 0_2_0041F3B0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0041B4D0 mov eax, dword ptr fs:[00000030h] 0_2_0041B4D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0043CB80 mov eax, dword ptr fs:[00000030h] 6_2_0043CB80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463320 mov eax, dword ptr fs:[00000030h] 6_2_00463320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463320 mov eax, dword ptr fs:[00000030h] 6_2_00463320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0041B4D0 mov eax, dword ptr fs:[00000030h] 6_2_0041B4D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463732 mov eax, dword ptr fs:[00000030h] 6_2_00463732
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463732 mov eax, dword ptr fs:[00000030h] 6_2_00463732
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463732 mov eax, dword ptr fs:[00000030h] 6_2_00463732
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463732 mov eax, dword ptr fs:[00000030h] 6_2_00463732
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463E84 mov eax, dword ptr fs:[00000030h] 6_2_00463E84
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463E84 mov ecx, dword ptr fs:[00000030h] 6_2_00463E84
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463E84 mov eax, dword ptr fs:[00000030h] 6_2_00463E84
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463E84 mov eax, dword ptr fs:[00000030h] 6_2_00463E84
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463E84 mov eax, dword ptr fs:[00000030h] 6_2_00463E84
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463E84 mov eax, dword ptr fs:[00000030h] 6_2_00463E84
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463E84 mov eax, dword ptr fs:[00000030h] 6_2_00463E84
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463E84 mov eax, dword ptr fs:[00000030h] 6_2_00463E84
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463E84 mov eax, dword ptr fs:[00000030h] 6_2_00463E84
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463E84 mov eax, dword ptr fs:[00000030h] 6_2_00463E84
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463E84 mov eax, dword ptr fs:[00000030h] 6_2_00463E84
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463E84 mov eax, dword ptr fs:[00000030h] 6_2_00463E84
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463E84 mov eax, dword ptr fs:[00000030h] 6_2_00463E84
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463E84 mov eax, dword ptr fs:[00000030h] 6_2_00463E84
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463E84 mov eax, dword ptr fs:[00000030h] 6_2_00463E84
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463E84 mov eax, dword ptr fs:[00000030h] 6_2_00463E84
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463E84 mov eax, dword ptr fs:[00000030h] 6_2_00463E84
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00463E84 mov eax, dword ptr fs:[00000030h] 6_2_00463E84
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0041B4D0 mov eax, dword ptr fs:[00000030h] 6_2_0041B4D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00414090 mov eax, dword ptr fs:[00000030h] 6_2_00414090
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0041B4D0 mov eax, dword ptr fs:[00000030h] 6_2_0041B4D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004646E9 mov eax, dword ptr fs:[00000030h] 6_2_004646E9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004146F0 mov eax, dword ptr fs:[00000030h] 6_2_004146F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004146F0 mov eax, dword ptr fs:[00000030h] 6_2_004146F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004146F0 mov eax, dword ptr fs:[00000030h] 6_2_004146F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004146F0 mov eax, dword ptr fs:[00000030h] 6_2_004146F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004146F0 mov eax, dword ptr fs:[00000030h] 6_2_004146F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004146F0 mov eax, dword ptr fs:[00000030h] 6_2_004146F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004146F0 mov eax, dword ptr fs:[00000030h] 6_2_004146F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004146F0 mov eax, dword ptr fs:[00000030h] 6_2_004146F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004146F0 mov eax, dword ptr fs:[00000030h] 6_2_004146F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004146F0 mov eax, dword ptr fs:[00000030h] 6_2_004146F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004146F0 mov eax, dword ptr fs:[00000030h] 6_2_004146F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004146F0 mov eax, dword ptr fs:[00000030h] 6_2_004146F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0041B4D0 mov eax, dword ptr fs:[00000030h] 6_2_0041B4D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0041F3B0 mov eax, dword ptr fs:[00000030h] 6_2_0041F3B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004156D0 mov ecx, dword ptr fs:[00000030h] 6_2_004156D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0041B4D0 mov eax, dword ptr fs:[00000030h] 6_2_0041B4D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_028030A3 push dword ptr fs:[00000030h] 6_2_028030A3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_028C42F7 mov eax, dword ptr fs:[00000030h] 6_2_028C42F7
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00408560 CopyFileA,GetModuleHandleA,GetProcAddress,GetProcessHeap,HeapAlloc,HeapFree,HeapAlloc,HeapFree, 0_2_00408560
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004DE8B4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004DE8B4
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004DEA41 SetUnhandledExceptionFilter, 0_2_004DEA41
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004DEC4D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_004DEC4D
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004E3174 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004E3174
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004DE8B4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_004DE8B4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004DEA41 SetUnhandledExceptionFilter, 6_2_004DEA41
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004DEC4D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_004DEC4D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004E3174 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_004E3174
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_029933DB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_029933DB

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00419360 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_00419360
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00419360 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 6_2_00419360
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00414210 cpuid 0_2_00414210
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0040BF30
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: GetLocaleInfoEx,FormatMessageA, 0_2_004DC5A3
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0040C816
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_004FD278
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: GetLocaleInfoW, 0_2_004FD47D
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: EnumSystemLocalesW, 0_2_004FD56F
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: EnumSystemLocalesW, 0_2_004FD524
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: EnumSystemLocalesW, 0_2_004FD60A
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_004FD695
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: EnumSystemLocalesW, 0_2_004F58CA
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: GetLocaleInfoW, 0_2_004FD8E8
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_004FDA11
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: GetLocaleInfoW, 0_2_004FDB17
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_004FDBED
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 6_2_0040BF30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoEx,FormatMessageA, 6_2_004DC5A3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 6_2_0040C816
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 6_2_004FD278
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 6_2_004FD47D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 6_2_004FD56F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 6_2_004FD524
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 6_2_004FD60A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 6_2_004FD695
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 6_2_004F58CA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 6_2_004FD8E8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 6_2_004FDA11
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 6_2_004FDB17
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 6_2_004FDBED
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 6_2_004F5E4D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 6_2_029A60B4
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\88Oj06xDol.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\88Oj06xDol.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_0040BF30 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0040BF30
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_00417630 GetModuleFileNameA,GetUserNameA,GetFileAttributesA,GetLastError,CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetFileAttributesA,GetLastError,CopyFileA,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_00417630
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004F784E GetTimeZoneInformation, 0_2_004F784E
Source: C:\Users\user\Desktop\88Oj06xDol.exe Code function: 0_2_004938A0 GetVersionExA,CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA, 0_2_004938A0
Source: C:\Users\user\Desktop\88Oj06xDol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.11.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000000.00000003.2063825636.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2087888478.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2063746570.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2314400932.0000000003A98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2312568223.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2312341141.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2316072862.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2087888478.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2130340101.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2316164450.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2316072862.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 88Oj06xDol.exe PID: 1816, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 4448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 2584, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 2792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 2836, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\cXsJJz24BctXuTWSoaCRfcx.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\a_iqRIngCQdFvZnFgfEPZYy.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\58Ob04x3bvi6kXoEQuoxoDl.zip, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: MPGPH131.exe, 00000006.00000003.2087888478.0000000000D46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: MPGPH131.exe, 00000006.00000003.2087888478.0000000000D46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: MPGPH131.exe, 00000006.00000003.2087888478.0000000000D46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx
Source: MPGPH131.exe, 00000006.00000002.2315642178.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallets
Source: MPGPH131.exe, 00000006.00000003.2087888478.0000000000D46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: MPGPH131.exe, 00000006.00000002.2315642178.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallets
Source: 88Oj06xDol.exe, 00000000.00000002.2312341141.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: MPGPH131.exe, 00000006.00000003.2087888478.0000000000D46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: MPGPH131.exe, 00000006.00000003.2087888478.0000000000D46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: MPGPH131.exe, 00000006.00000003.2087888478.0000000000D46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: MPGPH131.exe, 00000007.00000002.2315777571.0000000000E28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*V
Source: 88Oj06xDol.exe, 00000000.00000002.2312341141.0000000000C3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\formhistory.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\places.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\signons.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.json Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\88Oj06xDol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\88Oj06xDol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000006.00000003.2087888478.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2315642178.0000000000CE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2316072862.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 88Oj06xDol.exe PID: 1816, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 4448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 2584, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000000.00000003.2063825636.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2087888478.0000000000D46000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2063746570.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2314400932.0000000003A98000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2312568223.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2312341141.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2316072862.0000000000D47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2087888478.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2130340101.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2316164450.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2316072862.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 88Oj06xDol.exe PID: 1816, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 4448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 2584, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 2792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 2836, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\cXsJJz24BctXuTWSoaCRfcx.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\a_iqRIngCQdFvZnFgfEPZYy.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\58Ob04x3bvi6kXoEQuoxoDl.zip, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417385 Sample: 88Oj06xDol.exe Startdate: 29/03/2024 Architecture: WINDOWS Score: 100 45 ipinfo.io 2->45 47 db-ip.com 2->47 55 Snort IDS alert for network traffic 2->55 57 Multi AV Scanner detection for domain / URL 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 7 other signatures 2->61 8 MPGPH131.exe 56 2->8         started        12 88Oj06xDol.exe 1 63 2->12         started        15 RageMP131.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 35 C:\Users\user\...\58Ob04x3bvi6kXoEQuoxoDl.zip, Zip 8->35 dropped 63 Antivirus detection for dropped file 8->63 65 Multi AV Scanner detection for dropped file 8->65 67 Detected unpacking (changes PE section rights) 8->67 81 4 other signatures 8->81 19 WerFault.exe 8->19         started        49 193.233.132.74, 49705, 49708, 49709 FREE-NET-ASFREEnetEU Russian Federation 12->49 51 ipinfo.io 34.117.186.192, 443, 49706, 49710 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 12->51 53 db-ip.com 104.26.5.15, 443, 49707, 49712 CLOUDFLARENETUS United States 12->53 37 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 12->37 dropped 39 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 12->39 dropped 41 C:\Users\user\...\a_iqRIngCQdFvZnFgfEPZYy.zip, Zip 12->41 dropped 69 Detected unpacking (overwrites its own PE header) 12->69 71 Tries to steal Mail credentials (via file / registry access) 12->71 73 Found many strings related to Crypto-Wallets (likely being stolen) 12->73 75 Uses schtasks.exe or at.exe to add and modify task schedules 12->75 21 schtasks.exe 1 12->21         started        23 schtasks.exe 1 12->23         started        25 WerFault.exe 12->25         started        77 Machine Learning detection for dropped file 15->77 27 WerFault.exe 15->27         started        43 C:\Users\user\...\cXsJJz24BctXuTWSoaCRfcx.zip, Zip 17->43 dropped 79 Tries to harvest and steal browser information (history, passwords, etc) 17->79 29 WerFault.exe 17->29         started        file6 signatures7 process8 process9 31 conhost.exe 21->31         started        33 conhost.exe 23->33         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
104.26.5.15
 db-ip.com United States
13335 CLOUDFLARENETUS false
193.233.132.74
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
db-ip.com 104.26.5.15 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://db-ip.com/demo/home.php?s=102.165.48.43 false
    		high
    https://ipinfo.io/widget/demo/102.165.48.43 false
      		high