Windows Analysis Report
dendy.exe

Overview

General Information

Sample name: dendy.exe
Analysis ID: 1427876
MD5: 446f080cd1ed262b4dd0c1ff2143297e
SHA1: b958c52622a02d7ed530f6d41a7e7c24a27f7918
SHA256: a211901dea69eab959b9e47a6276ba7f363b6857687c410adcaf56135586b7ea
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check for running processes (XOR)
Contains functionality to inject threads in other processes
Country aware sample found (crashes after keyboard check)
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: dendy.exe Avira: detected
Antivirus detection for URL or domain
Source: http://193.233.132.167/cost/lenin.exe URL Reputation: Label: malware
Antivirus detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Avira: detection malicious, Label: TR/AVI.AceCrypter.tzrgz
Multi AV Scanner detection for domain / URL
Source: http://147.45.47.102:57893/hera/amadka.exe Virustotal: Detection: 15% Perma Link
Source: http://147.45.47.102:57893/hera/amadka.exe68.0 Virustotal: Detection: 15% Perma Link
Source: http://193.233.132.167/cost/go.exe Virustotal: Detection: 24% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe ReversingLabs: Detection: 82%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Virustotal: Detection: 71% Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Virustotal: Detection: 71% Perma Link
Multi AV Scanner detection for submitted file
Source: dendy.exe ReversingLabs: Detection: 82%
Source: dendy.exe Virustotal: Detection: 71% Perma Link
Machine Learning detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: dendy.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0041F3EB CryptUnprotectData,LocalFree, 0_2_0041F3EB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0041F3EB CryptUnprotectData,LocalFree, 8_2_0041F3EB

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\dendy.exe Unpacked PE file: 0.2.dendy.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 8.2.MPGPH131.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 26.2.RageMP131.exe.400000.0.unpack
Uses 32bit PE files
Source: dendy.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\dendy.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0040E7B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA, 0_2_0040E7B0
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_004DB1CB FindClose,FindFirstFileExW,GetLastError, 0_2_004DB1CB
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0040B300 GetDateFormatW,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_0040B300
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0041FA10 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_0041FA10
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0040E7B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA, 8_2_0040E7B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004DB1CB FindClose,FindFirstFileExW,GetLastError, 8_2_004DB1CB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0040B300 GetDateFormatW,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 8_2_0040B300
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0041FA10 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 8_2_0041FA10
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0043EAEB FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CopyFileA,CopyFileA, 8_2_0043EAEB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004DB251 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 8_2_004DB251
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0043FBB9 FindFirstFileA,FindNextFileA,GetLastError,FindClose,CreateFileA,GetFileSize,ReadFile,CloseHandle, 8_2_0043FBB9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_04B3B4B8 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 8_2_04B3B4B8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_04B3B432 FindClose,FindFirstFileExW,GetLastError, 8_2_04B3B432
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_dendy.exe_aa9f15d75e87e911f42a0812ef56c2977edd110_fa985918_b25a0167-156e-47da-8b75-d9e08c1e0ac7\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_8da9ded6fcd3711f80e32889caff945e9691e_62a9ba1a_4f7c52ae-a147-40d8-a3f2-8a9bebe00511\

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49730 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49730
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49730 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49731
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49732
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49731 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49730
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49732 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49731
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49732
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49739
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49739 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49746
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49746 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49739
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49746
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 147.45.47.93:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 147.45.47.93 147.45.47.93
Source: Joe Sandbox View IP Address: 104.26.5.15 104.26.5.15
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0041E220 recv,setsockopt,recv,WSAGetLastError,recv,recv,setsockopt,recv,recv,recv,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep, 0_2_0041E220
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown DNS traffic detected: queries for: ipinfo.io
Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe2
Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe6
Source: RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe68.0
Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeCH
Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exe
Source: RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exeadka.ex
Source: MPGPH131.exe, 00000008.00000002.2510972800.0000000007967000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exedka.exeuKRx
Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exehoin5
Source: MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exeisepro_botj
Source: RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exe
Source: dendy.exe, 00000000.00000002.2501929485.0000000007968000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exe.exe/HS2
Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exe192.168.0gA
Source: RageMP131.exe, 0000001A.00000002.2496030568.0000000007967000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exe_tenant_idr
Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exeania)
Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exenesCH
Source: Amcache.hve.7.dr String found in binary or memory: http://upx.sf.net
Source: dendy.exe, dendy.exe, 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, dendy.exe, 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, dendy.exe, 00000000.00000003.1719048251.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000008.00000002.2510035968.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1754038237.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2506460203.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2340303087.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.1754837586.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2343384935.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495613605.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2493907103.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001A.00000003.1896337586.0000000004B90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: dendy.exe, 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, dendy.exe, 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, dendy.exe, 00000000.00000003.1719048251.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2510035968.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1754038237.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2506460203.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2340303087.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.1754837586.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2343384935.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495613605.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2493907103.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001A.00000003.1896337586.0000000004B90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDllDpRTpR
Source: dendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: dendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: dendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: dendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MPGPH131.exe, 00000009.00000003.2119466041.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/GIG
Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/ZMru
Source: MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81
Source: RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52
Source: MPGPH131.exe, 00000008.00000002.2508595887.0000000002F6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52A
Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52dress
Source: RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/~
Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2119466041.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52
Source: RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52s
Source: dendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: dendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: dendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: dendy.exe, 00000000.00000002.2500954846.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EAD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/4
Source: RageMP131.exe, 0000001A.00000002.2495191919.000000000308F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/8
Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2508595887.0000000002F86000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2119466041.0000000002EE1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: MPGPH131.exe, 00000008.00000002.2508595887.0000000002F7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/X
Source: dendy.exe, 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, dendy.exe, 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, dendy.exe, 00000000.00000003.1719048251.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2510035968.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1754038237.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2506460203.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2340303087.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.1754837586.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2343384935.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495613605.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2493907103.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001A.00000003.1896337586.0000000004B90000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 00000008.00000002.2508595887.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EB0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030A9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52
Source: RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52F
Source: dendy.exe, 00000000.00000002.2500536171.0000000002E8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52l
Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002E9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/x
Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2508595887.0000000002F86000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52
Source: D87fZN3R3jFeplaces.sqlite.9.dr String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.9.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.9.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: dendy.exe, 00000000.00000003.2186305953.00000000079AD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2218273477.00000000079B8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210121788.0000000007862000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253627094.0000000007986000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2255795866.0000000007985000.00000004.00000020.00020000.00000000.sdmp, xLkPmPbriQeYHistory.26.dr, hn0rI1Di9iTsHistory.0.dr, GrE_iBTQJdDJHistory.26.dr, fNgu77Rnk80sHistory.9.dr, 7QP8D56XEcyNHistory.9.dr, 9kIPQpaY4rvVHistory.0.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: xLkPmPbriQeYHistory.26.dr, hn0rI1Di9iTsHistory.0.dr, GrE_iBTQJdDJHistory.26.dr, fNgu77Rnk80sHistory.9.dr, 7QP8D56XEcyNHistory.9.dr, 9kIPQpaY4rvVHistory.0.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: dendy.exe, 00000000.00000003.2186305953.00000000079AD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2218273477.00000000079B8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210121788.0000000007862000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253627094.0000000007986000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2255795866.0000000007985000.00000004.00000020.00020000.00000000.sdmp, xLkPmPbriQeYHistory.26.dr, hn0rI1Di9iTsHistory.0.dr, GrE_iBTQJdDJHistory.26.dr, fNgu77Rnk80sHistory.9.dr, 7QP8D56XEcyNHistory.9.dr, 9kIPQpaY4rvVHistory.0.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: xLkPmPbriQeYHistory.26.dr, hn0rI1Di9iTsHistory.0.dr, GrE_iBTQJdDJHistory.26.dr, fNgu77Rnk80sHistory.9.dr, 7QP8D56XEcyNHistory.9.dr, 9kIPQpaY4rvVHistory.0.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: dendy.exe, 00000000.00000002.2501929485.0000000007984000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415493241.0000000007984000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000002.2502097335.000000000799A000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415760901.0000000007999000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415493241.0000000007995000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000002.2500536171.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2510972800.0000000007981000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2508595887.0000000002F0E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002E68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2343911888.00000000077F0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.000000000305E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2496030568.0000000007920000.00000004.00000020.00020000.00000000.sdmp, c9bTQaLpRNBVsUoe4pkuQMW.zip.26.dr, 6XWWeAeVicQTZ7HrJgfaAa9.zip.0.dr, 7SoGIg_Dgh61RYTHw6zemBp.zip.9.dr String found in binary or memory: https://t.me/RiseProSUPPORT
Source: dendy.exe, 00000000.00000002.2502097335.000000000799A000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415760901.0000000007999000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415493241.0000000007995000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT117.0.2045.47
Source: RageMP131.exe, 0000001A.00000002.2496030568.0000000007920000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTIva
Source: RageMP131.exe, 0000001A.00000002.2496030568.0000000007920000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTOU~
Source: dendy.exe, 00000000.00000002.2501929485.0000000007984000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415493241.0000000007984000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTV
Source: RageMP131.exe, 0000001A.00000002.2495191919.000000000305E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTn
Source: MPGPH131.exe, 00000008.00000002.2510972800.0000000007981000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2343911888.00000000077F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTq
Source: RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2218615210.000000000312B000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.9.dr, passwords.txt.0.dr, passwords.txt.26.dr String found in binary or memory: https://t.me/risepro_bot
Source: MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot1.181.57.52
Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botDA
Source: RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botlateraQ
Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2119466041.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botomania
Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botrA
Source: MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botrisepro
Source: MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bottl;
Source: dendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: dendy.exe, 00000000.00000003.2190337967.00000000079D7000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2185569564.00000000079BB000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2186887342.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2221361449.00000000079D9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217856798.00000000079A9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2219324558.00000000079C9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2208409406.0000000007866000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210859373.0000000007883000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207337910.0000000007843000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2254070104.00000000079A8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2256092823.0000000007996000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2253005024.0000000007977000.00000004.00000020.00020000.00000000.sdmp, FDWjNP4RsRAAWeb Data.9.dr, xjqD6LmmUXwRWeb Data.26.dr, jivh3ZMPe0AVWeb Data.0.dr, UilUp13UfaxJWeb Data.0.dr, o47QYaSXnflcWeb Data.9.dr, 0SUQ0f15JMK7Web Data.26.dr, wUqBSbUei7PhWeb Data.0.dr, 2l02O9W1_FhwWeb Data.9.dr, NuTl_5zQHhB1Web Data.26.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: dendy.exe, MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: D87fZN3R3jFeplaces.sqlite.9.dr String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.9.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: D87fZN3R3jFeplaces.sqlite.9.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2510972800.0000000007967000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2496030568.0000000007967000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: dendy.exe, 00000000.00000002.2501929485.0000000007984000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415493241.0000000007984000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2510972800.0000000007981000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2343911888.000000000782A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207118365.000000000782A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210034289.000000000782A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210806911.000000000782A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2496030568.000000000795F000.00000004.00000020.00020000.00000000.sdmp, D87fZN3R3jFeplaces.sqlite.26.dr, 3b6N2Xdh3CYwplaces.sqlite.9.dr, 3b6N2Xdh3CYwplaces.sqlite.26.dr, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.9.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/f
Source: D87fZN3R3jFeplaces.sqlite.9.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: dendy.exe, 00000000.00000002.2501929485.0000000007968000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2496030568.0000000007967000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/ATCH
Source: RageMP131.exe, 0000001A.00000002.2496030568.0000000007967000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/e.dat
Source: dendy.exe, 00000000.00000002.2501929485.0000000007968000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/esktop
Source: dendy.exe, 00000000.00000002.2501929485.0000000007984000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415493241.0000000007984000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2510972800.0000000007981000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2343911888.000000000782A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207118365.000000000782A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210034289.000000000782A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2210806911.000000000782A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2496030568.000000000795F000.00000004.00000020.00020000.00000000.sdmp, D87fZN3R3jFeplaces.sqlite.26.dr, 3b6N2Xdh3CYwplaces.sqlite.9.dr, 3b6N2Xdh3CYwplaces.sqlite.26.dr, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.9.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/ragon
Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/refoxo
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49750 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0040BAC0 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown, 8_2_0040BAC0

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0000001A.00000002.2495000425.0000000002DAA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000009.00000002.2343201454.0000000002F6D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000002.2508449882.0000000002E39000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001A.00000002.2495613605.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.2510035968.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2501230299.000000000300C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000009.00000002.2343384935.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00446020 0_2_00446020
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00428180 0_2_00428180
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00496450 0_2_00496450
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00406430 0_2_00406430
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_004224D9 0_2_004224D9
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0040C490 0_2_0040C490
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045A490 0_2_0045A490
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_004564A0 0_2_004564A0
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0048C560 0_2_0048C560
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00458520 0_2_00458520
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00438770 0_2_00438770
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00424730 0_2_00424730
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0040E7B0 0_2_0040E7B0
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0043C800 0_2_0043C800
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0044A8F0 0_2_0044A8F0
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00442940 0_2_00442940
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0042C980 0_2_0042C980
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0043CA90 0_2_0043CA90
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045EA9C 0_2_0045EA9C
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00434B20 0_2_00434B20
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0042EB90 0_2_0042EB90
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045CC40 0_2_0045CC40
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00440C10 0_2_00440C10
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0040CD50 0_2_0040CD50
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_004E925D 0_2_004E925D
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0048D250 0_2_0048D250
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_004CB3C0 0_2_004CB3C0
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00431430 0_2_00431430
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045B4B0 0_2_0045B4B0
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0043B65D 0_2_0043B65D
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00423670 0_2_00423670
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0042B670 0_2_0042B670
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_004176B0 0_2_004176B0
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0043B750 0_2_0043B750
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_004378A0 0_2_004378A0
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00431BE0 0_2_00431BE0
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045DDE5 0_2_0045DDE5
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0041FF09 0_2_0041FF09
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0040BFC0 0_2_0040BFC0
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0048BFB0 0_2_0048BFB0
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0048E040 0_2_0048E040
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0044C160 0_2_0044C160
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0049A160 0_2_0049A160
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00490100 0_2_00490100
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_004D02E0 0_2_004D02E0
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_004202AA 0_2_004202AA
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0048E35B 0_2_0048E35B
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00422360 0_2_00422360
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_004D4310 0_2_004D4310
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_004E03D0 0_2_004E03D0
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00402410 0_2_00402410
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_004944E0 0_2_004944E0
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00416490 0_2_00416490
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00402600 0_2_00402600
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00484620 0_2_00484620
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00422852 0_2_00422852
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00490860 0_2_00490860
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00446020 8_2_00446020
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00428180 8_2_00428180
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00496450 8_2_00496450
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00406430 8_2_00406430
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004224D9 8_2_004224D9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0040C490 8_2_0040C490
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045A490 8_2_0045A490
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004564A0 8_2_004564A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0048C560 8_2_0048C560
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00458520 8_2_00458520
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00438770 8_2_00438770
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00424730 8_2_00424730
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0040E7B0 8_2_0040E7B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0043C800 8_2_0043C800
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0044A8F0 8_2_0044A8F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00442940 8_2_00442940
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0042C980 8_2_0042C980
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0043CA90 8_2_0043CA90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00434B20 8_2_00434B20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0042EB90 8_2_0042EB90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045CC40 8_2_0045CC40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00440C10 8_2_00440C10
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0040CD50 8_2_0040CD50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004E925D 8_2_004E925D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0048D250 8_2_0048D250
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004CB3C0 8_2_004CB3C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00431430 8_2_00431430
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045B4B0 8_2_0045B4B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0043B65D 8_2_0043B65D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00423670 8_2_00423670
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0042B670 8_2_0042B670
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004176B0 8_2_004176B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0043B750 8_2_0043B750
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004B5870 8_2_004B5870
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004378A0 8_2_004378A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00431BE0 8_2_00431BE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045DDE5 8_2_0045DDE5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0041FF09 8_2_0041FF09
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0040BFC0 8_2_0040BFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0048BFB0 8_2_0048BFB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0048E040 8_2_0048E040
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0044C160 8_2_0044C160
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0049A160 8_2_0049A160
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00490100 8_2_00490100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004D02E0 8_2_004D02E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004202AA 8_2_004202AA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0048E35B 8_2_0048E35B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00422360 8_2_00422360
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004D4310 8_2_004D4310
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004E03D0 8_2_004E03D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00402410 8_2_00402410
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004944E0 8_2_004944E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00416490 8_2_00416490
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00402600 8_2_00402600
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00484620 8_2_00484620
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00422852 8_2_00422852
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00490860 8_2_00490860
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0043EAEB 8_2_0043EAEB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004D2A90 8_2_004D2A90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00486AA0 8_2_00486AA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004D0B30 8_2_004D0B30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0044EB90 8_2_0044EB90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004F6CC5 8_2_004F6CC5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0048ECA2 8_2_0048ECA2
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0048CD80 8_2_0048CD80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00490E40 8_2_00490E40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0049EE70 8_2_0049EE70
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0049AE20 8_2_0049AE20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00418EE0 8_2_00418EE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00482FE0 8_2_00482FE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00440FF5 8_2_00440FF5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0048D020 8_2_0048D020
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004CD080 8_2_004CD080
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00487270 8_2_00487270
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0047F360 8_2_0047F360
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00483470 8_2_00483470
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0048B4F0 8_2_0048B4F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004E959F 8_2_004E959F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004A36EE 8_2_004A36EE
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00433740 8_2_00433740
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00489720 8_2_00489720
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004497D0 8_2_004497D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0048F7B0 8_2_0048F7B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00401900 8_2_00401900
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004BB9E0 8_2_004BB9E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004FD9FE 8_2_004FD9FE
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004099A0 8_2_004099A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00481A30 8_2_00481A30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004E3B58 8_2_004E3B58
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004E5B90 8_2_004E5B90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0048BC00 8_2_0048BC00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00409D90 8_2_00409D90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004D1E50 8_2_004D1E50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00483EF0 8_2_00483EF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0043FF40 8_2_0043FF40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0043FF13 8_2_0043FF13
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00485FD0 8_2_00485FD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00493FF0 8_2_00493FF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_04B494C4 8_2_04B494C4
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\dendy.exe Code function: String function: 0048FE50 appears 35 times
Source: C:\Users\user\Desktop\dendy.exe Code function: String function: 00469F00 appears 46 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 004DD5B0 appears 54 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 0048FE50 appears 91 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 00469F00 appears 58 times
One or more processes crash
Source: C:\Users\user\Desktop\dendy.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 868
Sample file is different than original file name gathered from version info
Source: dendy.exe Binary or memory string: OriginalFilename vs dendy.exe
Source: dendy.exe, 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs dendy.exe
Source: dendy.exe, 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs dendy.exe
Source: dendy.exe, 00000000.00000003.1719048251.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamefilezilla.exe4 vs dendy.exe
Uses 32bit PE files
Source: dendy.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0000001A.00000002.2495000425.0000000002DAA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000009.00000002.2343201454.0000000002F6D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000002.2508449882.0000000002E39000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001A.00000002.2495613605.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.2510035968.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2501230299.000000000300C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000009.00000002.2343384935.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@24/129@2/3
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00492300 GetLastError,GetVersionExA,FormatMessageW,LocalFree,FormatMessageA, 0_2_00492300
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00491D10 CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA, 0_2_00491D10
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0040CD50 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0040CD50
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00446020 CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,CopyFileA,GetUserNameA,CopyFileA,SHGetFolderPathA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,ShellExecuteA, 0_2_00446020
Source: C:\Users\user\Desktop\dendy.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3748:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5164
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7028
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6688
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6996
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_03
Source: C:\Users\user\Desktop\dendy.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: dendy.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\dendy.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: dendy.exe, dendy.exe, 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, dendy.exe, 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, dendy.exe, 00000000.00000003.1719048251.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000008.00000002.2510035968.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1754038237.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2506460203.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2340303087.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.1754837586.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2343384935.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495613605.0000000004A40000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: dendy.exe, 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, dendy.exe, 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, dendy.exe, 00000000.00000003.1719048251.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2510035968.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1754038237.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2506460203.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2340303087.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.1754837586.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2343384935.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495613605.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2493907103.0000000000400000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: MPGPH131.exe, 00000008.00000003.2219788988.0000000007992000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE autofill_sync_metadata (model_typ;
Source: MPGPH131.exe, 00000008.00000003.2217856798.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217789940.0000000007992000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2217503233.0000000007992000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2207246038.000000000782C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2206986632.000000000782C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2252440203.000000000313C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2252918330.000000000313C000.00000004.00000020.00020000.00000000.sdmp, 6xQrR_hJnX90Login Data For Account.26.dr, q4newEXeW0gGLogin Data For Account.0.dr, BYnglavidnY6Login Data.9.dr, s5KTHH5Pma1BLogin Data For Account.9.dr, nF96X0gSy0TrLogin Data.0.dr, fd7hv5c9m7PWLogin Data.26.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: dendy.exe ReversingLabs: Detection: 82%
Source: dendy.exe Virustotal: Detection: 71%
Source: dendy.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\dendy.exe File read: C:\Users\user\Desktop\dendy.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\dendy.exe "C:\Users\user\Desktop\dendy.exe"
Source: C:\Users\user\Desktop\dendy.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dendy.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dendy.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 868
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 804
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 780
Source: C:\Users\user\Desktop\dendy.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 952
Source: C:\Users\user\Desktop\dendy.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 960
Source: C:\Users\user\Desktop\dendy.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 960
Source: C:\Users\user\Desktop\dendy.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 960
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 892
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\dendy.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1464
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 924
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 964
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6996 -s 884
Source: C:\Users\user\Desktop\dendy.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1472
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5164 -s 820
Source: C:\Users\user\Desktop\dendy.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msimg32.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msvcr100.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dpapi.dll
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\dendy.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\dendy.exe Unpacked PE file: 0.2.dendy.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 8.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 26.2.RageMP131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\dendy.exe Unpacked PE file: 0.2.dendy.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 8.2.MPGPH131.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 26.2.RageMP131.exe.400000.0.unpack
Contains functionality to check for running processes (XOR)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle, 8_2_00409D90
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045DDE5 LoadLibraryA,GetProcAddress,MessageBoxA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,SetThreadExecutionState, 0_2_0045DDE5
Uses code obfuscation techniques (call, push, ret)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004C112B push ecx; iretd 8_2_004C112C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004DD189 push ecx; ret 8_2_004DD19C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_02E3C17B push ebp; ret 8_2_02E3C181
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_02E3C536 push esp; ret 8_2_02E3C537
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_02E3DC08 push cs; ret 8_2_02E3DC09
Drops PE files
Source: C:\Users\user\Desktop\dendy.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Users\user\Desktop\dendy.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\dendy.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\dendy.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\dendy.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00482FE0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 8_2_00482FE0
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Country aware sample found (crashes after keyboard check)
Source: c:\users\user\desktop\dendy.exe Event Logs and Signature results: Application crash and keyboard check
Found API chain indicative of sandbox detection
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Sandbox detection routine: GetCursorPos, DecisionNode, Sleep
Source: C:\Users\user\Desktop\dendy.exe Sandbox detection routine: GetCursorPos, DecisionNode, Sleep
Found evasive API chain (may stop execution after checking mutex)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\dendy.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Users\user\Desktop\dendy.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\dendy.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Stalling execution: Execution stalls by calling Sleep
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\Desktop\dendy.exe Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos, 0_2_0045D9F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos, 8_2_0045D9F0
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\dendy.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evasive API chain (date check)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\dendy.exe TID: 7020 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe TID: 7020 Thread sleep count: 61 > 30 Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe TID: 7020 Thread sleep count: 78 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6780 Thread sleep count: 60 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6780 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6780 Thread sleep count: 52 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6780 Thread sleep count: 102 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7160 Thread sleep count: 56 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7160 Thread sleep count: 54 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7160 Thread sleep count: 105 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6256 Thread sleep count: 70 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6256 Thread sleep count: 122 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00464270 GetKeyboardLayoutList followed by cmp: cmp esi, edi and CTI: je 00464293h 0_2_00464270
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_004624B0 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 004624C0h country: Upper Sorbian (hsb) 0_2_004624B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00464270 GetKeyboardLayoutList followed by cmp: cmp esi, edi and CTI: je 00464293h 8_2_00464270
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004624B0 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 004624C0h country: Upper Sorbian (hsb) 8_2_004624B0
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00492190 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 004921D1h 0_2_00492190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00492190 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 004921D1h 8_2_00492190
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0040E7B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA, 0_2_0040E7B0
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_004DB1CB FindClose,FindFirstFileExW,GetLastError, 0_2_004DB1CB
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0040B300 GetDateFormatW,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_0040B300
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0041FA10 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_0041FA10
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0040E7B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA, 8_2_0040E7B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004DB1CB FindClose,FindFirstFileExW,GetLastError, 8_2_004DB1CB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0040B300 GetDateFormatW,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 8_2_0040B300
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0041FA10 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 8_2_0041FA10
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0043EAEB FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CopyFileA,CopyFileA, 8_2_0043EAEB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004DB251 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 8_2_004DB251
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0043FBB9 FindFirstFileA,FindNextFileA,GetLastError,FindClose,CreateFileA,GetFileSize,ReadFile,CloseHandle, 8_2_0043FBB9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_04B3B4B8 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 8_2_04B3B4B8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_04B3B432 FindClose,FindFirstFileExW,GetLastError, 8_2_04B3B432
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0040CD50 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0040CD50
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_dendy.exe_aa9f15d75e87e911f42a0812ef56c2977edd110_fa985918_b25a0167-156e-47da-8b75-d9e08c1e0ac7\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_8da9ded6fcd3711f80e32889caff945e9691e_62a9ba1a_4f7c52ae-a147-40d8-a3f2-8a9bebe00511\
Source: Amcache.hve.7.dr Binary or memory string: VMware
Source: RageMP131.exe, 0000001A.00000002.2495191919.0000000003050000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&n
Source: Amcache.hve.7.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2508595887.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2119466041.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030A9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: RageMP131.exe, 0000001A.00000003.2218615210.00000000030D4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2495191919.00000000030D4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBn
Source: MPGPH131.exe, 00000008.00000003.1787082883.0000000002F70000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.7.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: MPGPH131.exe, 00000009.00000003.2307496857.0000000007848000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_BFCABCAF
Source: MPGPH131.exe, 00000008.00000002.2508595887.0000000002F00000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: MPGPH131.exe, 00000009.00000003.2307496857.0000000007848000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}j
Source: Amcache.hve.7.dr Binary or memory string: vmci.sys
Source: MPGPH131.exe, 00000008.00000003.2410074087.00000000079A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}d
Source: dendy.exe, 00000000.00000003.1745606759.0000000002EA1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}p;
Source: MPGPH131.exe, 00000008.00000003.2410074087.00000000079A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}b
Source: dendy.exe, 00000000.00000002.2500536171.0000000002E30000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&R:
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: RageMP131.exe, 0000001A.00000002.2496030568.0000000007967000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}U
Source: Amcache.hve.7.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: RageMP131.exe, 0000001A.00000002.2495191919.00000000030BB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}M
Source: Amcache.hve.7.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual USB Mouse
Source: MPGPH131.exe, 00000009.00000003.1783804935.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}b
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr Binary or memory string: VMware, Inc.
Source: RageMP131.exe, 0000001A.00000003.2392293405.0000000007981000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002EB0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@:
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RageMP131.exe, 0000001A.00000003.1939608500.00000000030C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}L
Source: Amcache.hve.7.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002EBC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}v
Source: Amcache.hve.7.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBn<
Source: dendy.exe, 00000000.00000002.2500536171.0000000002E90000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWxU
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr Binary or memory string: \driver\vmci,\driver\pci
Source: MPGPH131.exe, 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBnK
Source: Amcache.hve.7.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: MPGPH131.exe, 00000009.00000002.2342275444.0000000002E60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&@
Source: dendy.exe, 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@I
Source: C:\Users\user\Desktop\dendy.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\dendy.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00414870 IsDebuggerPresent, 0_2_00414870
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045E5D4 CreateThread,FindCloseChangeNotification,Sleep,GetTempPathA,CreateDirectoryA,CreateDirectoryA,OutputDebugStringA,CreateDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep, 0_2_0045E5D4
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045DDE5 LoadLibraryA,GetProcAddress,MessageBoxA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,SetThreadExecutionState, 0_2_0045DDE5
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_004160B0 mov ecx, dword ptr fs:[00000030h] 0_2_004160B0
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045E5D4 mov eax, dword ptr fs:[00000030h] 0_2_0045E5D4
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045E5D4 mov ecx, dword ptr fs:[00000030h] 0_2_0045E5D4
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0043CA90 mov eax, dword ptr fs:[00000030h] 0_2_0043CA90
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h] 0_2_0041AB90
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045D9F0 mov eax, dword ptr fs:[00000030h] 0_2_0045D9F0
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045D9F0 mov eax, dword ptr fs:[00000030h] 0_2_0045D9F0
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045DDE5 mov eax, dword ptr fs:[00000030h] 0_2_0045DDE5
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045DDE5 mov eax, dword ptr fs:[00000030h] 0_2_0045DDE5
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045DDE5 mov eax, dword ptr fs:[00000030h] 0_2_0045DDE5
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0045DDE5 mov eax, dword ptr fs:[00000030h] 0_2_0045DDE5
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h] 0_2_0041AB90
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h] 0_2_0041AB90
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00414870 mov eax, dword ptr fs:[00000030h] 0_2_00414870
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045E5D4 mov eax, dword ptr fs:[00000030h] 8_2_0045E5D4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045E5D4 mov ecx, dword ptr fs:[00000030h] 8_2_0045E5D4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0043CA90 mov eax, dword ptr fs:[00000030h] 8_2_0043CA90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0041AB90 mov eax, dword ptr fs:[00000030h] 8_2_0041AB90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045D9F0 mov eax, dword ptr fs:[00000030h] 8_2_0045D9F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045D9F0 mov eax, dword ptr fs:[00000030h] 8_2_0045D9F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045DDE5 mov eax, dword ptr fs:[00000030h] 8_2_0045DDE5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045DDE5 mov eax, dword ptr fs:[00000030h] 8_2_0045DDE5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045DDE5 mov eax, dword ptr fs:[00000030h] 8_2_0045DDE5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045DDE5 mov eax, dword ptr fs:[00000030h] 8_2_0045DDE5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0041AB90 mov eax, dword ptr fs:[00000030h] 8_2_0041AB90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004160B0 mov ecx, dword ptr fs:[00000030h] 8_2_004160B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0041AB90 mov eax, dword ptr fs:[00000030h] 8_2_0041AB90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414870 mov eax, dword ptr fs:[00000030h] 8_2_00414870
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h] 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h] 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h] 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h] 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h] 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h] 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h] 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h] 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h] 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h] 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h] 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h] 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0041AB90 mov eax, dword ptr fs:[00000030h] 8_2_0041AB90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0041EF10 mov eax, dword ptr fs:[00000030h] 8_2_0041EF10
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0041AB90 mov eax, dword ptr fs:[00000030h] 8_2_0041AB90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_02E390A3 push dword ptr fs:[00000030h] 8_2_02E390A3
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00482C80 GetProcessHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 8_2_00482C80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004DD3B4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_004DD3B4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004DD74D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_004DD74D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004E1C94 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_004E1C94

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject threads in other processes
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00418BB0 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 8_2_00418BB0
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_004149F0 cpuid 0_2_004149F0
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\dendy.exe Code function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0040CD50
Source: C:\Users\user\Desktop\dendy.exe Code function: EnumSystemLocalesW, 0_2_004FC045
Source: C:\Users\user\Desktop\dendy.exe Code function: EnumSystemLocalesW, 0_2_004FC090
Source: C:\Users\user\Desktop\dendy.exe Code function: EnumSystemLocalesW, 0_2_004FC12B
Source: C:\Users\user\Desktop\dendy.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_004FC1B6
Source: C:\Users\user\Desktop\dendy.exe Code function: EnumSystemLocalesW, 0_2_004F43EA
Source: C:\Users\user\Desktop\dendy.exe Code function: GetLocaleInfoW, 0_2_004FC409
Source: C:\Users\user\Desktop\dendy.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_004FC532
Source: C:\Users\user\Desktop\dendy.exe Code function: GetLocaleInfoW, 0_2_004FC638
Source: C:\Users\user\Desktop\dendy.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_004FC70E
Source: C:\Users\user\Desktop\dendy.exe Code function: GetLocaleInfoW, 0_2_004F496D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 8_2_0040CD50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 8_2_004FC045
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 8_2_004FC090
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 8_2_004FC12B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 8_2_004FC1B6
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 8_2_004F43EA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 8_2_004FC409
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 8_2_004FC532
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 8_2_004FC638
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 8_2_004FC70E
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 8_2_004F496D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoEx,FormatMessageA, 8_2_004DAFC3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 8_2_004FBD99
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 8_2_004FBF9E
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\dendy.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\dendy.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_0040CD50 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0040CD50
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00446020 CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,CopyFileA,GetUserNameA,CopyFileA,SHGetFolderPathA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,ShellExecuteA, 0_2_00446020
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_004F636F GetTimeZoneInformation, 0_2_004F636F
Source: C:\Users\user\Desktop\dendy.exe Code function: 0_2_00491C30 GetVersionExA,CreateFileW, 0_2_00491C30
Source: C:\Users\user\Desktop\dendy.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.7.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 0.2.dendy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MPGPH131.exe.4a60e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RageMP131.exe.4a40e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.dendy.exe.4a80e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RageMP131.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.MPGPH131.exe.4bc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.MPGPH131.exe.4bb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.RageMP131.exe.4b90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.dendy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RageMP131.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MPGPH131.exe.4a70e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.dendy.exe.4bd0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2510972800.0000000007981000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2495191919.000000000305E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2501929485.0000000007984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2343911888.00000000077F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2415493241.0000000007984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2496030568.0000000007920000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2502097335.000000000799A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2495613605.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2510035968.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2415760901.0000000007999000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2415493241.0000000007995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2340303087.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1754038237.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2493907103.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.1754837586.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1719048251.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.1896337586.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2343384935.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2506460203.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dendy.exe PID: 7028, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6688, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6996, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 5164, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\c9bTQaLpRNBVsUoe4pkuQMW.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\6XWWeAeVicQTZ7HrJgfaAa9.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\7SoGIg_Dgh61RYTHw6zemBp.zip, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: dendy.exe, 00000000.00000003.2415734936.0000000002F28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets?
Source: dendy.exe, 00000000.00000003.2383566671.00000000079B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: dendy.exe, 00000000.00000003.2383566671.00000000079B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Jaxx\Local Storage
Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: dendy.exe, 00000000.00000003.2415734936.0000000002F28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: dendy.exe, 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: dendy.exe, 00000000.00000002.2500954846.0000000002F11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: dendy.exe, 00000000.00000003.2415734936.0000000002F28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: dendy.exe, 00000000.00000002.2500954846.0000000002F11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: dendy.exe, 00000000.00000002.2500954846.0000000002F11000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: dendy.exe, 00000000.00000003.2415734936.0000000002F28000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger LiveY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\dendy.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\dendy.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 00000009.00000002.2342275444.0000000002EF2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2500954846.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2495191919.000000000312B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2415846117.0000000002EB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2508595887.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dendy.exe PID: 7028, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6688, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6996, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 5164, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 0.2.dendy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MPGPH131.exe.4a60e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RageMP131.exe.4a40e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.dendy.exe.4a80e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RageMP131.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.MPGPH131.exe.4bc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.MPGPH131.exe.4bb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.RageMP131.exe.4b90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.dendy.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RageMP131.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MPGPH131.exe.4a70e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.dendy.exe.4bd0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2510972800.0000000007981000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2495191919.000000000305E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2501929485.0000000007984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2343911888.00000000077F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2415493241.0000000007984000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2496030568.0000000007920000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2502097335.000000000799A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2495613605.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2510035968.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2415760901.0000000007999000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2415493241.0000000007995000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2340303087.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2501387878.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.1754038237.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2493907103.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.1754837586.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2499170949.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1719048251.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.1896337586.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2343384935.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2506460203.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dendy.exe PID: 7028, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6688, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6996, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 5164, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\c9bTQaLpRNBVsUoe4pkuQMW.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\6XWWeAeVicQTZ7HrJgfaAa9.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\7SoGIg_Dgh61RYTHw6zemBp.zip, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427876 Sample: dendy.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 51 ipinfo.io 2->51 53 db-ip.com 2->53 61 Snort IDS alert for network traffic 2->61 63 Multi AV Scanner detection for domain / URL 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 7 other signatures 2->67 8 dendy.exe 1 62 2->8         started        13 MPGPH131.exe 49 2->13         started        15 RageMP131.exe 2->15         started        17 MPGPH131.exe 10 2->17         started        signatures3 process4 dnsIp5 55 147.45.47.93, 49730, 49731, 49732 FREE-NET-ASFREEnetEU Russian Federation 8->55 57 ipinfo.io 34.117.186.192, 443, 49733, 49740 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->57 59 db-ip.com 104.26.5.15, 443, 49735, 49743 CLOUDFLARENETUS United States 8->59 41 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->41 dropped 43 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->43 dropped 45 C:\Users\user\...\6XWWeAeVicQTZ7HrJgfaAa9.zip, Zip 8->45 dropped 69 Detected unpacking (changes PE section rights) 8->69 71 Detected unpacking (overwrites its own PE header) 8->71 73 Found evasive API chain (may stop execution after checking mutex) 8->73 85 5 other signatures 8->85 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        23 WerFault.exe 19 16 8->23         started        31 6 other processes 8->31 75 Antivirus detection for dropped file 13->75 77 Multi AV Scanner detection for dropped file 13->77 79 Contains functionality to check for running processes (XOR) 13->79 87 2 other signatures 13->87 25 WerFault.exe 13->25         started        33 2 other processes 13->33 47 C:\Users\user\...\c9bTQaLpRNBVsUoe4pkuQMW.zip, Zip 15->47 dropped 81 Tries to steal Mail credentials (via file / registry access) 15->81 83 Tries to harvest and steal browser information (history, passwords, etc) 15->83 27 WerFault.exe 15->27         started        49 C:\Users\user\...\7SoGIg_Dgh61RYTHw6zemBp.zip, Zip 17->49 dropped 29 WerFault.exe 17->29         started        35 3 other processes 17->35 file6 signatures7 process8 process9 37 conhost.exe 19->37         started        39 conhost.exe 21->39         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
147.45.47.93
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
104.26.5.15
 db-ip.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
db-ip.com 104.26.5.15 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ipinfo.io/widget/demo/81.181.57.52 false
    		high
    https://db-ip.com/demo/home.php?s=81.181.57.52 false
      		high