Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1427905
MD5: 265d5b8b9f603f0f5ef62f2c27449607
SHA1: 39576d6d8388dea489946141dbccf9cf5fe3a28f
SHA256: 948d096a3931a22f116b93ffeefb3a374834d8eb578620c0ffc83f3e468eed81
Tags: exe
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Country aware sample found (crashes after keyboard check)
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://193.233.132.167/cost/lenin.exe URL Reputation: Label: malware
Antivirus detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Avira: detection malicious, Label: HEUR/AGEN.1310450
Multi AV Scanner detection for domain / URL
Source: http://147.45.47.102:57893/hera/amadka.exe Virustotal: Detection: 15% Perma Link
Source: http://193.233.132.167/cost/go.exe Virustotal: Detection: 24% Perma Link
Source: http://193.233.132.167/cost/go.exee Virustotal: Detection: 23% Perma Link
Source: http://193.233.132.167/cost/lenin.exe192.168.0 Virustotal: Detection: 24% Perma Link
Source: http://193.233.132.167/cost/go.exero Virustotal: Detection: 23% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe ReversingLabs: Detection: 47%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Virustotal: Detection: 47% Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Virustotal: Detection: 47% Perma Link
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 47%
Machine Learning detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041F3EB CryptUnprotectData,LocalFree, 0_2_0041F3EB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0041F3EB CryptUnprotectData,LocalFree, 8_2_0041F3EB

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 17.2.RageMP131.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 26.2.RageMP131.exe.400000.0.unpack
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: Binary string: C:\kiyecatuvoxule\xawip-har\kizipinayuzeh.pdb source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr
Source: Binary string: (C:\kiyecatuvoxule\xawip-har\kizipinayuzeh.pdb source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040E7B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA, 0_2_0040E7B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004DB1CB FindClose,FindFirstFileExW,GetLastError, 0_2_004DB1CB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040B300 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_0040B300
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041FA10 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_0041FA10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0043EAEB FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CopyFileA,CopyFileA, 0_2_0043EAEB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0040E7B0 FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SHGetFolderPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA, 8_2_0040E7B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0043CA90 CreateThread,CredEnumerateA,SHGetFolderPathA,CreateThread,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CopyFileA,CopyFileA, 8_2_0043CA90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004DB1CB FindClose,FindFirstFileExW,GetLastError, 8_2_004DB1CB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004DB251 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 8_2_004DB251
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0040B300 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 8_2_0040B300

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49730 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49730
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49730 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49730
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49739
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49739 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49739
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49740
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49740 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49746
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49747
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49746 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49746
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49747
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49747 -> 147.45.47.93:58709
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 147.45.47.93:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 147.45.47.93 147.45.47.93
Source: Joe Sandbox View IP Address: 104.26.4.15 104.26.4.15
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041E220 recv,setsockopt,recv,WSAGetLastError,recv,recv,setsockopt,recv,recv,recv,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep, 0_2_0041E220
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown DNS traffic detected: queries for: ipinfo.io
Source: RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: RageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe.52
Source: RageMP131.exe, 00000011.00000002.2353080317.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2343251890.0000000007A88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeDatae
Source: file.exe, 00000000.00000002.2258233237.0000000007A40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe_prof
Source: RageMP131.exe, 0000001A.00000003.2600149129.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2604583006.0000000007A92000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exedatD
Source: file.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2258233237.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600149129.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2604583006.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exe
Source: RageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exee
Source: file.exe, 00000000.00000002.2258233237.0000000007A40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exeoinxs
Source: RageMP131.exe, 0000001A.00000003.2600149129.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2604583006.0000000007A92000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exero
Source: file.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2258233237.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2353080317.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2343251890.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600149129.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2604583006.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exe
Source: RageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exe192.168.0
Source: RageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exepro_botF
Source: file.exe, 00000000.00000002.2258233237.0000000007A40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exese
Source: RageMP131.exe, 0000001A.00000003.2600149129.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2604583006.0000000007A92000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exe~
Source: MPGPH131.exe, 00000009.00000002.2554347578.0000000002EAC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mtO
Source: Amcache.hve.7.dr String found in binary or memory: http://upx.sf.net
Source: file.exe, file.exe, 00000000.00000003.1698876622.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000008.00000002.2555613641.0000000004900000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2345569703.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2552258510.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2355371299.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2552333219.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2555618433.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2351210254.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.1935064684.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2345301493.0000000000400000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000001A.00000002.2601441093.0000000000400000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000001A.00000003.2050121383.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603802110.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe, 00000000.00000003.1698876622.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2555613641.0000000004900000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2345569703.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2552258510.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2355371299.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2552333219.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2555618433.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2351210254.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.1935064684.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2345301493.0000000000400000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000001A.00000002.2601441093.0000000000400000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000001A.00000003.2050121383.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603802110.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDllDpRTpR
Source: file.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MPGPH131.exe, 00000008.00000002.2554428927.0000000003128000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002EAC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: MPGPH131.exe, 00000008.00000002.2554428927.0000000003128000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/?
Source: file.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.00000000030E9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.0000000003128000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002E58000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002EAC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FA8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FA7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52
Source: MPGPH131.exe, 00000009.00000002.2554347578.0000000002EAC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.525w
Source: RageMP131.exe, 00000011.00000002.2348884384.0000000002FDC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52gQ
Source: MPGPH131.exe, 00000008.00000002.2554428927.0000000003128000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52j
Source: MPGPH131.exe, 00000009.00000002.2554347578.0000000002EAC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52
Source: MPGPH131.exe, 00000008.00000002.2554428927.00000000030E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52D)
Source: file.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52r
Source: file.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, file.exe, 00000000.00000002.2256177341.000000000305D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072010146.00000000030B1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.000000000307B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000008.00000002.2554428927.00000000030E9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.00000000030CF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.0000000003128000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002E5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002E6A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002E30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002EAC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2348884384.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: file.exe, 00000000.00000002.2256177341.00000000030A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072010146.00000000030B1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.00000000030E9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002E6A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2349974931.0000000002FFE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000002FFD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: file.exe, 00000000.00000003.1698876622.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2555613641.0000000004900000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2345569703.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2552258510.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2355371299.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2552333219.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2555618433.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2351210254.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.1935064684.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2345301493.0000000000400000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000001A.00000002.2601441093.0000000000400000.00000040.00000001.01000000.00000007.sdmp, RageMP131.exe, 0000001A.00000003.2050121383.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603802110.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 00000009.00000002.2554347578.0000000002E30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/n
Source: file.exe, 00000000.00000002.2256177341.000000000307B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.00000000030A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/t
Source: file.exe, 00000000.00000002.2256177341.00000000030A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.000000000307B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.00000000030AA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002E40000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2348884384.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2306068480.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307548661.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2349881372.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2312025857.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2308251432.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002F95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52
Source: MPGPH131.exe, 00000009.00000002.2554347578.0000000002E6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52$v
Source: MPGPH131.exe, 00000008.00000002.2554428927.00000000030AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52.tmpW
Source: MPGPH131.exe, 00000008.00000002.2554428927.00000000030E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52H)
Source: RageMP131.exe, 0000001A.00000002.2603079344.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/~
Source: file.exe, 00000000.00000002.2256177341.00000000030A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.00000000030E9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002E6A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2306068480.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307548661.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2349881372.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2312025857.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2308251432.0000000002FF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600250501.0000000002FBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: RageMP131.exe, 00000011.00000003.2207015077.0000000007ABD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2465348973.0000000007AB3000.00000004.00000020.00020000.00000000.sdmp, LZlzsFoefEVpHistory.17.dr, d4QTaPGdbj7gHistory.17.dr, MBSHfyCuKHxNHistory.26.dr, IcPAi7xok6iaHistory.0.dr, QkoBCD2tTFlpHistory.0.dr, GUahzsMvIC8wHistory.26.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: LZlzsFoefEVpHistory.17.dr, d4QTaPGdbj7gHistory.17.dr, MBSHfyCuKHxNHistory.26.dr, IcPAi7xok6iaHistory.0.dr, QkoBCD2tTFlpHistory.0.dr, GUahzsMvIC8wHistory.26.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: RageMP131.exe, 00000011.00000003.2207015077.0000000007ABD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2465348973.0000000007AB3000.00000004.00000020.00020000.00000000.sdmp, LZlzsFoefEVpHistory.17.dr, d4QTaPGdbj7gHistory.17.dr, MBSHfyCuKHxNHistory.26.dr, IcPAi7xok6iaHistory.0.dr, QkoBCD2tTFlpHistory.0.dr, GUahzsMvIC8wHistory.26.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: LZlzsFoefEVpHistory.17.dr, d4QTaPGdbj7gHistory.17.dr, MBSHfyCuKHxNHistory.26.dr, IcPAi7xok6iaHistory.0.dr, QkoBCD2tTFlpHistory.0.dr, GUahzsMvIC8wHistory.26.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: MPGPH131.exe, 00000009.00000002.2554347578.0000000002E6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.G
Source: RageMP131.exe, 0000001A.00000002.2604404588.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, dSyaNbAby9QXs4RBu3VN33H.zip.17.dr, e_uwnYJDOrnylP4tGD1vKSo.zip.0.dr, OfCx6VeglYVpWTwI9NddWAo.zip.26.dr String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RageMP131.exe, 00000011.00000003.2307637364.0000000007A99000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT$
Source: RageMP131.exe, 00000011.00000002.2352946266.0000000007A40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTR
Source: MPGPH131.exe, 00000008.00000002.2554428927.000000000306E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTS)
Source: RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2568774506.0000000007AFA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2604404588.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr, passwords.txt.26.dr, passwords.txt.17.dr String found in binary or memory: https://t.me/risepro_bot
Source: file.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot.
Source: MPGPH131.exe, 00000009.00000002.2554347578.0000000002EAC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot1.181.57.52
Source: file.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botW
Source: RageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: file.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botlater
Source: MPGPH131.exe, 00000008.00000002.2554428927.0000000003128000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botrisepro
Source: file.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.2069670213.0000000007A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072850690.0000000007AC2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070675750.0000000007AB6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204823122.0000000007AA1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205392926.0000000007AD0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207595025.0000000007ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2463165278.0000000007ABB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2462740121.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2466057502.0000000007AD5000.00000004.00000020.00020000.00000000.sdmp, Tx9lIpMUG2zOWeb Data.26.dr, weyqQCNm9HN2Web Data.0.dr, tcNWocR92MUuWeb Data.17.dr, ToLgTrDbYUcjWeb Data.26.dr, FxAu1a1JDtB8Web Data.0.dr, eBt1v4cLiOqEWeb Data.0.dr, fotzzxFskzb6Web Data.17.dr, 8Mse1jO6nK1IWeb Data.26.dr, 6_PbUyeA3kVjWeb Data.17.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2258233237.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2206916968.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2203998016.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207361950.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2209672095.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205935807.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204462762.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207840188.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2353080317.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205561890.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2209349772.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204892541.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2343251890.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2208459725.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2206158263.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204206244.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600149129.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2604583006.0000000007A92000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.2074032515.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075009905.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072588247.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2258287784.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070998670.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073084064.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2076462071.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078211008.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2069734712.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2206916968.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2203998016.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207361950.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2209672095.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205935807.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204462762.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207840188.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2353080317.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205561890.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2209349772.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204892541.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2343251890.0000000007A88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: RageMP131.exe, 0000001A.00000003.2600149129.0000000007A92000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2604583006.0000000007A92000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/O
Source: file.exe, 00000000.00000002.2258233237.0000000007A40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/n
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2258233237.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2206916968.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2203998016.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2348884384.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207361950.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2209672095.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205935807.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204462762.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207840188.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2353080317.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205561890.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2209349772.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204892541.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2343251890.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2208459725.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2206158263.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204206244.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000003.2600149129.0000000007A92000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: RageMP131.exe, 00000011.00000002.2348884384.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/6)
Source: file.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/ata
Source: RageMP131.exe, 00000011.00000003.2206916968.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2203998016.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207361950.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2209672095.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205935807.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204462762.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207840188.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2353080317.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205561890.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2209349772.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204892541.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2343251890.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2208459725.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2206158263.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204206244.0000000007A88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/efox/
Source: file.exe, 00000000.00000003.2074032515.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075009905.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072588247.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2258287784.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070998670.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073084064.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2076462071.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2078211008.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2069734712.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2206916968.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2203998016.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207361950.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2209672095.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205935807.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204462762.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2207840188.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2353080317.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2205561890.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2209349772.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204892541.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2343251890.0000000007A88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: RageMP131.exe, 00000011.00000002.2353080317.0000000007A88000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2343251890.0000000007A88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/inata
Source: RageMP131.exe, 0000001A.00000003.2600250501.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/refox
Source: file.exe, 00000000.00000002.2258233237.0000000007A40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/y.jaxxZs
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49751 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000011.00000002.2350759257.0000000004A1C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000002.2555613641.0000000004900000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2256109726.0000000002F51000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000011.00000002.2351210254.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000009.00000002.2555380044.0000000002FCE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001A.00000002.2603730581.0000000004A22000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000002.2554245395.0000000002F65000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000009.00000002.2555618433.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001A.00000002.2603802110.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00446020 0_2_00446020
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00428180 0_2_00428180
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00496450 0_2_00496450
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406430 0_2_00406430
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004224D9 0_2_004224D9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040C490 0_2_0040C490
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045A490 0_2_0045A490
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004564A0 0_2_004564A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0048C560 0_2_0048C560
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00458520 0_2_00458520
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00438770 0_2_00438770
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00424730 0_2_00424730
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040E7B0 0_2_0040E7B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0043C800 0_2_0043C800
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0044A8F0 0_2_0044A8F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00442940 0_2_00442940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0042C980 0_2_0042C980
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0043CA90 0_2_0043CA90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045EA9C 0_2_0045EA9C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00434B20 0_2_00434B20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0042EB90 0_2_0042EB90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045CC40 0_2_0045CC40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00440C10 0_2_00440C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040CD50 0_2_0040CD50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004E925D 0_2_004E925D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0048D250 0_2_0048D250
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004CB3C0 0_2_004CB3C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00431430 0_2_00431430
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045B4B0 0_2_0045B4B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0043B65D 0_2_0043B65D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00423670 0_2_00423670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0042B670 0_2_0042B670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004176B0 0_2_004176B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0043B750 0_2_0043B750
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004378A0 0_2_004378A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00431BE0 0_2_00431BE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045DDE5 0_2_0045DDE5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041FF09 0_2_0041FF09
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040BFC0 0_2_0040BFC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0048BFB0 0_2_0048BFB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0048E040 0_2_0048E040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0044C160 0_2_0044C160
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0049A160 0_2_0049A160
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00490100 0_2_00490100
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D02E0 0_2_004D02E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004202AA 0_2_004202AA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0048E35B 0_2_0048E35B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00422360 0_2_00422360
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D4310 0_2_004D4310
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004E03D0 0_2_004E03D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402410 0_2_00402410
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004944E0 0_2_004944E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00416490 0_2_00416490
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402600 0_2_00402600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00484620 0_2_00484620
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00422852 0_2_00422852
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00490860 0_2_00490860
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0043EAEB 0_2_0043EAEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D2A90 0_2_004D2A90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00486AA0 0_2_00486AA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004D0B30 0_2_004D0B30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0044EB90 0_2_0044EB90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004F6CC5 0_2_004F6CC5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0048ECA2 0_2_0048ECA2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0048CD80 0_2_0048CD80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00490E40 0_2_00490E40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0049EE70 0_2_0049EE70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0049AE20 0_2_0049AE20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414ED0 0_2_00414ED0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418EE0 0_2_00418EE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00482FE0 0_2_00482FE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00440FF5 0_2_00440FF5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0048D020 0_2_0048D020
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004CD080 0_2_004CD080
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0040C490 8_2_0040C490
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004176B0 8_2_004176B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045DDE5 8_2_0045DDE5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0040BFC0 8_2_0040BFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00446020 8_2_00446020
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0044C160 8_2_0044C160
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0049A160 8_2_0049A160
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00490100 8_2_00490100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00428180 8_2_00428180
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004D02E0 8_2_004D02E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004202AA 8_2_004202AA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00422360 8_2_00422360
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004D4310 8_2_004D4310
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004E03D0 8_2_004E03D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00496450 8_2_00496450
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00402410 8_2_00402410
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00406430 8_2_00406430
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004224D9 8_2_004224D9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004944E0 8_2_004944E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00416490 8_2_00416490
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045A490 8_2_0045A490
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004564A0 8_2_004564A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0048C560 8_2_0048C560
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00458520 8_2_00458520
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00402600 8_2_00402600
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00484620 8_2_00484620
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00438770 8_2_00438770
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00424730 8_2_00424730
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0040E7B0 8_2_0040E7B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00422852 8_2_00422852
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00490860 8_2_00490860
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0043C800 8_2_0043C800
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0044A8F0 8_2_0044A8F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0042C980 8_2_0042C980
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0043CA90 8_2_0043CA90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004D2A90 8_2_004D2A90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00486AA0 8_2_00486AA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00434B20 8_2_00434B20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004D0B30 8_2_004D0B30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0042EB90 8_2_0042EB90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0044EB90 8_2_0044EB90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045CC40 8_2_0045CC40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00440C10 8_2_00440C10
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004F6CC5 8_2_004F6CC5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0040CD50 8_2_0040CD50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0048CD80 8_2_0048CD80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00490E40 8_2_00490E40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0049EE70 8_2_0049EE70
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0049AE20 8_2_0049AE20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00418EE0 8_2_00418EE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00482FE0 8_2_00482FE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00440FF5 8_2_00440FF5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0048D020 8_2_0048D020
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004CD080 8_2_004CD080
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004E925D 8_2_004E925D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00487270 8_2_00487270
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0048D35B 8_2_0048D35B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0047F360 8_2_0047F360
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004CB3C0 8_2_004CB3C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00483470 8_2_00483470
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00431430 8_2_00431430
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0048B4F0 8_2_0048B4F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045B4B0 8_2_0045B4B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004E959F 8_2_004E959F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0043B65D 8_2_0043B65D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00423670 8_2_00423670
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0042B670 8_2_0042B670
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004A36EE 8_2_004A36EE
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00433740 8_2_00433740
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0043B750 8_2_0043B750
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00489720 8_2_00489720
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0048F7B0 8_2_0048F7B0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 004DD5B0 appears 40 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00402D00 appears 39 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0046A190 appears 94 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0048FE50 appears 51 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00469F00 appears 49 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 004DD5B0 appears 43 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 0048FE50 appears 69 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 00469F00 appears 48 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 00402D00 appears 36 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 0046A190 appears 91 times
One or more processes crash
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 784
Sample file is different than original file name gathered from version info
Source: file.exe Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000003.1698876622.0000000004C20000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewpa.dll( vs file.exe
Source: file.exe, 00000000.00000003.1742232486.0000000003093000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFires0 vs file.exe
Source: file.exe, 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamewpa.dll( vs file.exe
Source: file.exe, 00000000.00000000.1643190552.0000000002DBA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameFires0 vs file.exe
Source: file.exe, 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewpa.dll( vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameFires0 vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000011.00000002.2350759257.0000000004A1C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000002.2555613641.0000000004900000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2256109726.0000000002F51000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000011.00000002.2351210254.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000009.00000002.2555380044.0000000002FCE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001A.00000002.2603730581.0000000004A22000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000002.2554245395.0000000002F65000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000009.00000002.2555618433.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001A.00000002.2603802110.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@25/125@3/3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00492300 GetLastError,GetVersionExA,FormatMessageW,LocalFree,FormatMessageA, 0_2_00492300
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00491D10 CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA, 0_2_00491D10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040CD50 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0040CD50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00446020 CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,CopyFileA,GetUserNameA,CopyFileA,SHGetFolderPathA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,ShellExecuteA, 0_2_00446020
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7328
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7988
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, file.exe, 00000000.00000003.1698876622.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000008.00000002.2555613641.0000000004900000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2345569703.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2552258510.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2355371299.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2552333219.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2555618433.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2351210254.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000003.1698876622.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2555613641.0000000004900000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2345569703.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2552258510.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2355371299.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2552333219.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000002.2555618433.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2351210254.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.1935064684.0000000004C30000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: RageMP131.exe, 00000011.00000003.2203998016.0000000007A73000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2204462762.0000000007A73000.00000004.00000020.00020000.00000000.sdmp, rzThZlFR926oLogin Data.17.dr, jTDil21rwmscLogin Data For Account.0.dr, MKjdaszvj8XCLogin Data For Account.17.dr, SjNa0HpZUcV6Login Data For Account.26.dr, 2_TMjP6pWvYDLogin Data.0.dr, MGPDw7uupP6KLogin Data.26.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 47%
Source: file.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 784
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 960
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1008
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 996
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1020
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1416
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1828
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1848
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7988 -s 820
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1808
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1940
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7988 -s 940
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 1948
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7988 -s 952
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dpapi.dll
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\kiyecatuvoxule\xawip-har\kizipinayuzeh.pdb source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr
Source: Binary string: (C:\kiyecatuvoxule\xawip-har\kizipinayuzeh.pdb source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 17.2.RageMP131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 26.2.RageMP131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 17.2.RageMP131.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 26.2.RageMP131.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045DDE5 LoadLibraryA,GetProcAddress,MessageBoxA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,SetThreadExecutionState, 0_2_0045DDE5
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004C112B push ecx; iretd 0_2_004C112C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004DD189 push ecx; ret 0_2_004DD19C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004C112B push ecx; iretd 8_2_004C112C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004DD189 push ecx; ret 8_2_004DD19C
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00482FE0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00482FE0
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Country aware sample found (crashes after keyboard check)
Source: c:\users\user\desktop\file.exe Event Logs and Signature results: Application crash and keyboard check
Found API chain indicative of sandbox detection
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Sandbox detection routine: GetCursorPos, DecisionNode, Sleep
Source: C:\Users\user\Desktop\file.exe Sandbox detection routine: GetCursorPos, DecisionNode, Sleep
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\file.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Stalling execution: Execution stalls by calling Sleep
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\Desktop\file.exe Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos, 0_2_0045D9F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos, 8_2_0045D9F0
Found decision node followed by non-executed suspicious APIs
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\Desktop\file.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7332 Thread sleep count: 76 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7332 Thread sleep count: 37 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7332 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7588 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7596 Thread sleep count: 98 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7992 Thread sleep count: 89 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7992 Thread sleep count: 128 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1516 Thread sleep count: 78 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1516 Thread sleep count: 43 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1516 Thread sleep count: 98 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00464270 GetKeyboardLayoutList followed by cmp: cmp esi, edi and CTI: je 00464293h 0_2_00464270
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004624B0 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 004624C0h country: Upper Sorbian (hsb) 0_2_004624B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00464270 GetKeyboardLayoutList followed by cmp: cmp esi, edi and CTI: je 00464293h 8_2_00464270
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004624B0 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 004624C0h country: Upper Sorbian (hsb) 8_2_004624B0
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00492190 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 004921D1h 0_2_00492190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00492190 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 004921D1h 8_2_00492190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040E7B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA, 0_2_0040E7B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004DB1CB FindClose,FindFirstFileExW,GetLastError, 0_2_004DB1CB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040B300 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_0040B300
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041FA10 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_0041FA10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0043EAEB FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CopyFileA,CopyFileA, 0_2_0043EAEB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0040E7B0 FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SHGetFolderPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA, 8_2_0040E7B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0043CA90 CreateThread,CredEnumerateA,SHGetFolderPathA,CreateThread,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CopyFileA,CopyFileA, 8_2_0043CA90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004DB1CB FindClose,FindFirstFileExW,GetLastError, 8_2_004DB1CB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004DB251 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 8_2_004DB251
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0040B300 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 8_2_0040B300
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040CD50 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0040CD50
Source: Amcache.hve.7.dr Binary or memory string: VMware
Source: RageMP131.exe, 00000011.00000003.2008536036.0000000002FE4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}C
Source: file.exe, 00000000.00000002.2256177341.00000000030A7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBnk
Source: Amcache.hve.7.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: file.exe, 00000000.00000003.2072010146.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068786897.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2023096366.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2256177341.000000000307B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.00000000030E9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2554428927.00000000030BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2554347578.0000000002E6A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000003.2305959394.0000000003002000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: RageMP131.exe, 0000001A.00000003.2093321378.0000000002FA8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.7.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: RageMP131.exe, 00000011.00000002.2348884384.0000000002F70000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: Amcache.hve.7.dr Binary or memory string: vmci.sys
Source: MPGPH131.exe, 00000008.00000003.2368810046.00000000030D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}X(
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1
Source: MPGPH131.exe, 00000009.00000003.2387852289.0000000002E56000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}4w
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: MPGPH131.exe, 00000008.00000002.2554428927.00000000030E9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWo
Source: Amcache.hve.7.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: file.exe, 00000000.00000002.2258431224.0000000007A89000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_926F18F8sautoD
Source: RageMP131.exe, 0000001A.00000002.2603079344.0000000002F95000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual USB Mouse
Source: RageMP131.exe, 00000011.00000002.2348884384.0000000002FDA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr Binary or memory string: VMware, Inc.
Source: RageMP131.exe, 0000001A.00000002.2603079344.0000000002FC6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000011.00000002.2353136507.0000000007A92000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_926F18F8y
Source: RageMP131.exe, 00000011.00000002.2348884384.0000000002FCC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RageMP131.exe, 0000001A.00000002.2603079344.0000000002F40000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&'
Source: Amcache.hve.7.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MPGPH131.exe, 00000009.00000002.2554347578.0000000002E40000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MPGPH131.exe, 00000009.00000002.2554347578.0000000002E6A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW5t
Source: Amcache.hve.7.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr Binary or memory string: \driver\vmci,\driver\pci
Source: MPGPH131.exe, 00000008.00000002.2554428927.0000000003060000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&z)
Source: Amcache.hve.7.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: RageMP131.exe, 0000001A.00000002.2604583006.0000000007A92000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_926F18F8
Source: file.exe, 00000000.00000003.2223197438.0000000007AA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J6HEdjEHUub5EtqTQ2dk3wwrCNfruTWZeEqONRrqgXAW0ke6pZXg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414870 IsDebuggerPresent, 0_2_00414870
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045E5D4 CreateThread,CloseHandle,Sleep,GetTempPathA,CreateDirectoryA,CreateDirectoryA,OutputDebugStringA,CreateDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep, 0_2_0045E5D4
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045DDE5 LoadLibraryA,GetProcAddress,MessageBoxA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,SetThreadExecutionState, 0_2_0045DDE5
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004160B0 mov ecx, dword ptr fs:[00000030h] 0_2_004160B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045E5D4 mov eax, dword ptr fs:[00000030h] 0_2_0045E5D4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045E5D4 mov ecx, dword ptr fs:[00000030h] 0_2_0045E5D4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0043CA90 mov eax, dword ptr fs:[00000030h] 0_2_0043CA90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045EA9C mov eax, dword ptr fs:[00000030h] 0_2_0045EA9C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h] 0_2_0041AB90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045D9F0 mov eax, dword ptr fs:[00000030h] 0_2_0045D9F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045D9F0 mov eax, dword ptr fs:[00000030h] 0_2_0045D9F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045DDE5 mov eax, dword ptr fs:[00000030h] 0_2_0045DDE5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045DDE5 mov eax, dword ptr fs:[00000030h] 0_2_0045DDE5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045DDE5 mov eax, dword ptr fs:[00000030h] 0_2_0045DDE5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045DDE5 mov eax, dword ptr fs:[00000030h] 0_2_0045DDE5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h] 0_2_0041AB90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h] 0_2_0041AB90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414870 mov eax, dword ptr fs:[00000030h] 0_2_00414870
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h] 0_2_00414ED0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h] 0_2_00414ED0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h] 0_2_00414ED0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h] 0_2_00414ED0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h] 0_2_00414ED0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h] 0_2_00414ED0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h] 0_2_00414ED0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h] 0_2_00414ED0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h] 0_2_00414ED0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h] 0_2_00414ED0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h] 0_2_00414ED0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00414ED0 mov eax, dword ptr fs:[00000030h] 0_2_00414ED0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h] 0_2_0041AB90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041EF10 mov eax, dword ptr fs:[00000030h] 0_2_0041EF10
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045E5D4 mov eax, dword ptr fs:[00000030h] 8_2_0045E5D4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045E5D4 mov ecx, dword ptr fs:[00000030h] 8_2_0045E5D4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045EA9C mov eax, dword ptr fs:[00000030h] 8_2_0045EA9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0041AB90 mov eax, dword ptr fs:[00000030h] 8_2_0041AB90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045D9F0 mov eax, dword ptr fs:[00000030h] 8_2_0045D9F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045D9F0 mov eax, dword ptr fs:[00000030h] 8_2_0045D9F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045DDE5 mov eax, dword ptr fs:[00000030h] 8_2_0045DDE5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045DDE5 mov eax, dword ptr fs:[00000030h] 8_2_0045DDE5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045DDE5 mov eax, dword ptr fs:[00000030h] 8_2_0045DDE5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0045DDE5 mov eax, dword ptr fs:[00000030h] 8_2_0045DDE5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0041AB90 mov eax, dword ptr fs:[00000030h] 8_2_0041AB90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004160B0 mov ecx, dword ptr fs:[00000030h] 8_2_004160B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0041AB90 mov eax, dword ptr fs:[00000030h] 8_2_0041AB90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414870 mov eax, dword ptr fs:[00000030h] 8_2_00414870
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0043CA90 mov eax, dword ptr fs:[00000030h] 8_2_0043CA90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h] 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h] 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h] 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h] 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h] 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h] 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h] 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h] 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h] 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h] 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h] 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00414ED0 mov eax, dword ptr fs:[00000030h] 8_2_00414ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0041AB90 mov eax, dword ptr fs:[00000030h] 8_2_0041AB90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0041EF10 mov eax, dword ptr fs:[00000030h] 8_2_0041EF10
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00482C80 GetProcessHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 0_2_00482C80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004DD3B4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_004DD3B4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_004DD74D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_004DD74D

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418BB0 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_00418BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00418BB0 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 8_2_00418BB0
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004149F0 cpuid 0_2_004149F0
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0040CD50
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_004FC045
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_004FC090
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_004FC12B
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_004FC1B6
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_004F43EA
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_004FC409
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_004FC532
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_004FC638
Source: C:\Users\user\Desktop\file.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_004FC70E
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_004F496D
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoEx,FormatMessageA, 0_2_004DAFC3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 8_2_004FC045
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 8_2_004FC090
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 8_2_004FC12B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 8_2_004FC1B6
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 8_2_004F43EA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 8_2_004FC409
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 8_2_004FC532
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 8_2_004FC638
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 8_2_004FC70E
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 8_2_004F496D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 8_2_0040CD50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoEx,FormatMessageA, 8_2_004DAFC3
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040CD50 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0040CD50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00446020 CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,CopyFileA,GetUserNameA,CopyFileA,SHGetFolderPathA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,ShellExecuteA, 0_2_00446020
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004F636F GetTimeZoneInformation, 0_2_004F636F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00491C30 GetVersionExA,CreateFileW, 0_2_00491C30
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.7.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 8.3.MPGPH131.exe.4a60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4ac0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RageMP131.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.MPGPH131.exe.4a10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.RageMP131.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.RageMP131.exe.4c40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MPGPH131.exe.48b0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RageMP131.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.RageMP131.exe.4ad0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RageMP131.exe.4ae0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.RageMP131.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MPGPH131.exe.4900e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.4c20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.RageMP131.exe.4c30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000003.2307637364.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2253726342.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2258287784.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2603079344.0000000002F47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2345569703.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2256177341.000000000302E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2555613641.0000000004900000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1698876622.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2352946266.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2351210254.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.1935064684.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2604404588.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2348884384.0000000002F7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2345301493.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2355371299.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2552333219.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2555618433.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2601441093.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2552258510.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.2050121383.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2603802110.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7584, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7592, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 2352, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\dSyaNbAby9QXs4RBu3VN33H.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\e_uwnYJDOrnylP4tGD1vKSo.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\OfCx6VeglYVpWTwI9NddWAo.zip, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000003.2222334467.0000000007A9C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\walletsH
Source: file.exe, 00000000.00000003.2222334467.0000000007A9C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\com.liberty.jaxx
Source: file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.walletE>
Source: RageMP131.exe, 00000011.00000003.2305959394.0000000003058000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets=]
Source: file.exe, 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.walletE>
Source: file.exe, 00000000.00000003.2222334467.0000000007A9C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: RageMP131.exe, 00000011.00000003.2305959394.0000000003058000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets=]
Source: file.exe, 00000000.00000003.2222334467.0000000007A9C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets*
Source: file.exe, 00000000.00000003.2222334467.0000000007A9C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: RageMP131.exe, 00000011.00000003.2305959394.0000000003058000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\GN
Source: file.exe, 00000000.00000002.2256177341.000000000307B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 00000011.00000003.2305959394.0000000003058000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2349974931.0000000003002000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2256177341.00000000030B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.2343081719.0000000003065000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2350560658.0000000003069000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.2307237063.0000000003058000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.2307237063.0000000003002000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 2352, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 8.3.MPGPH131.exe.4a60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.4ac0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RageMP131.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.MPGPH131.exe.4a10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.RageMP131.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.3.RageMP131.exe.4c40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MPGPH131.exe.48b0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RageMP131.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.RageMP131.exe.4ad0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RageMP131.exe.4ae0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.RageMP131.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.MPGPH131.exe.4900e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.4c20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.3.RageMP131.exe.4c30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000003.2307637364.0000000007A99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2253726342.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2258287784.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2603079344.0000000002F47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2345569703.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2256177341.000000000302E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2555613641.0000000004900000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1698876622.0000000004C20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2352946266.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2351210254.0000000004AD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.1935064684.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2254819923.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2604404588.0000000007A40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2348884384.0000000002F7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2345301493.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2355371299.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2552333219.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2555618433.00000000048B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2601441093.0000000000400000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2552258510.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2257395722.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.2050121383.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2603802110.0000000004AE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7584, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7592, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7988, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 2352, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\dSyaNbAby9QXs4RBu3VN33H.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\e_uwnYJDOrnylP4tGD1vKSo.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\OfCx6VeglYVpWTwI9NddWAo.zip, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427905 Sample: file.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 47 ipinfo.io 2->47 49 db-ip.com 2->49 57 Snort IDS alert for network traffic 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 7 other signatures 2->63 8 file.exe 1 62 2->8         started        13 MPGPH131.exe 2 2->13         started        15 RageMP131.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 51 147.45.47.93, 49730, 49739, 49740 FREE-NET-ASFREEnetEU Russian Federation 8->51 53 ipinfo.io 34.117.186.192, 443, 49737, 49741 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->53 55 db-ip.com 104.26.4.15, 443, 49738, 49742 CLOUDFLARENETUS United States 8->55 37 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->37 dropped 39 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->39 dropped 41 C:\Users\user\...\e_uwnYJDOrnylP4tGD1vKSo.zip, Zip 8->41 dropped 65 Detected unpacking (changes PE section rights) 8->65 67 Detected unpacking (overwrites its own PE header) 8->67 69 Found evasive API chain (may stop execution after checking mutex) 8->69 83 5 other signatures 8->83 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        23 WerFault.exe 16 8->23         started        31 10 other processes 8->31 71 Antivirus detection for dropped file 13->71 73 Multi AV Scanner detection for dropped file 13->73 75 Machine Learning detection for dropped file 13->75 43 C:\Users\user\...\dSyaNbAby9QXs4RBu3VN33H.zip, Zip 15->43 dropped 77 Tries to steal Mail credentials (via file / registry access) 15->77 79 Found many strings related to Crypto-Wallets (likely being stolen) 15->79 25 WerFault.exe 15->25         started        27 WerFault.exe 15->27         started        29 WerFault.exe 15->29         started        45 C:\Users\user\...\OfCx6VeglYVpWTwI9NddWAo.zip, Zip 17->45 dropped 81 Tries to harvest and steal browser information (history, passwords, etc) 17->81 file6 signatures7 process8 process9 33 conhost.exe 19->33         started        35 conhost.exe 21->35         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
147.45.47.93
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
104.26.4.15
 db-ip.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
db-ip.com 104.26.4.15 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ipinfo.io/widget/demo/81.181.57.52 false
    		high
    https://db-ip.com/demo/home.php?s=81.181.57.52 false
      		high