Windows Analysis Report
s2dwlCsA95.exe

Overview

General Information

Sample name: s2dwlCsA95.exe
renamed because original name is a hash value
Original sample name: 360f5b40a6cbc8f99639d6989a3fd0ac.exe
Analysis ID: 1428546
MD5: 360f5b40a6cbc8f99639d6989a3fd0ac
SHA1: 1709413509c4dedf9e0452d818a5991c0740ca86
SHA256: 09c9e09ef1371e9bc9292abce47d8bd0fdae9cb9fecc42ccfd51f983f43e2bdf
Tags: 32exeRiseProStealertrojan
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://193.233.132.167/cost/lenin.exe URL Reputation: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://147.45.47.102:57893/hera/amadka.exe Virustotal: Detection: 18% Perma Link
Source: http://147.45.47.102:57893/hera/amadka.exea Virustotal: Detection: 15% Perma Link
Source: http://193.233.132.167/cost/go.exe Virustotal: Detection: 24% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe ReversingLabs: Detection: 47%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Virustotal: Detection: 50% Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Virustotal: Detection: 50% Perma Link
Multi AV Scanner detection for submitted file
Source: s2dwlCsA95.exe Virustotal: Detection: 50% Perma Link
Source: s2dwlCsA95.exe ReversingLabs: Detection: 47%
Machine Learning detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: s2dwlCsA95.exe Joe Sandbox ML: detected

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Unpacked PE file: 0.2.s2dwlCsA95.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 10.2.MPGPH131.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 29.2.RageMP131.exe.400000.0.unpack
Uses 32bit PE files
Source: s2dwlCsA95.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\s2dwlCsA95.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Windows\SysWOW64\IMM32.DLL Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Windows\SysWOW64\ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Windows\SysWOW64\oleaut32.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Windows\SysWOW64\msimg32.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097\gdiplus.dll Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49704 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49704
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49704
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49704 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49707
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49707
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49708
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49707 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49708 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49717
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49717 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49717
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49721
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49721
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49721 -> 147.45.47.93:58709
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49704 -> 147.45.47.93:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 147.45.47.93 147.45.47.93
Source: Joe Sandbox View IP Address: 172.67.75.166 172.67.75.166
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown DNS traffic detected: queries for: ipinfo.io
Source: s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381973315.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2379020101.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2631989425.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe9
Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exea
Source: s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381973315.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2379020101.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2631989425.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exe
Source: MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457109129.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454661731.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2453591148.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2444060139.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2441425631.0000000002D73000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exeadka.ex
Source: MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exedka.exea
Source: MPGPH131.exe, 0000000A.00000003.2631989425.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2838329907.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exeoinoin
Source: s2dwlCsA95.exe, 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2631989425.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457109129.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454661731.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2453591148.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2838329907.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exe
Source: MPGPH131.exe, 0000000A.00000003.2631989425.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2838329907.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exein9
Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exenia
Source: Amcache.hve.8.dr String found in binary or memory: http://upx.sf.net
Source: s2dwlCsA95.exe, 00000000.00000002.2413832078.0000000000400000.00000040.00000001.01000000.00000003.sdmp, s2dwlCsA95.exe, 00000000.00000003.2030911452.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2127621832.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2825664696.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2823048597.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2838757535.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2836396180.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2129386240.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2844660544.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001D.00000002.2847142038.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2229476539.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: s2dwlCsA95.exe, 00000000.00000002.2413832078.0000000000400000.00000040.00000001.01000000.00000003.sdmp, s2dwlCsA95.exe, 00000000.00000003.2030911452.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2127621832.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2825664696.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2823048597.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2838757535.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2836396180.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2129386240.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2844660544.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001D.00000002.2847142038.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2229476539.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDllDpRTpR
Source: s2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: s2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: s2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: s2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381973315.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2379020101.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457109129.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454661731.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2453591148.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2444060139.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2441425631.0000000002D73000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/-~
Source: MPGPH131.exe, 0000000A.00000003.2441425631.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2846157398.0000000002E9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52
Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.522
Source: MPGPH131.exe, 00000009.00000002.2824634591.0000000003029000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52:1%
Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/vVpR
Source: s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381973315.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2379020101.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52
Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.527
Source: s2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.dr, kfF3SxorO0TnWeb Data.29.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: s2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.dr, kfF3SxorO0TnWeb Data.29.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: s2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.dr, kfF3SxorO0TnWeb Data.29.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002E6F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2846157398.0000000002EB7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2846157398.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381973315.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2379020101.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.000000000304F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003045000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.000000000304F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.000000000304F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.000000000304F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.000000000304F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: MPGPH131.exe, 0000000A.00000003.2441425631.0000000002D62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D5E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/g
Source: s2dwlCsA95.exe, 00000000.00000002.2413832078.0000000000400000.00000040.00000001.01000000.00000003.sdmp, s2dwlCsA95.exe, 00000000.00000003.2030911452.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2127621832.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2825664696.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2823048597.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2838757535.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2836396180.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2129386240.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2844660544.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000001D.00000002.2847142038.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2229476539.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D2D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/t
Source: s2dwlCsA95.exe, 00000000.00000002.2415707420.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415246869.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003045000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003019000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D43000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2846157398.0000000002EB7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2846157398.0000000002E88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52
Source: MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457109129.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454661731.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2453591148.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2444060139.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2441425631.0000000002D73000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52b
Source: s2dwlCsA95.exe, 00000000.00000002.2415707420.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003045000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450905357.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457232246.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2441425631.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2846157398.0000000002EB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52
Source: D87fZN3R3jFeplaces.sqlite.9.dr String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.9.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.9.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: RageMP131.exe, 0000001D.00000003.2719533978.00000000079CB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2846157398.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, CaUaqkY92GovL9TcuRMGkgg.zip.9.dr, Aso5djWiC8bybG6teNs2YR5.zip.0.dr String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000009.00000002.2826478110.00000000079AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT-PC77
Source: MPGPH131.exe, 0000000A.00000002.2839912338.0000000007B0B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2630813730.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2632111137.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT7
Source: MPGPH131.exe, 0000000A.00000003.2631101956.0000000007983000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2839750203.0000000007987000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTP
Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTV
Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2718661022.00000000079DA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2847854867.00000000079AB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2718897346.0000000007B27000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.9.dr, passwords.txt.10.dr, passwords.txt.0.dr, passwords.txt.29.dr String found in binary or memory: https://t.me/risepro_bot
Source: MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457109129.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454661731.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2453591148.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2444060139.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2441425631.0000000002D73000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot52Hg
Source: MPGPH131.exe, 00000009.00000003.2472850926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot=
Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botRoman
Source: MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457109129.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454661731.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2453591148.0000000002D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2444060139.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2441425631.0000000002D73000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: MPGPH131.exe, 00000009.00000003.2472850926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botl
Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botrisepro
Source: s2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: s2dwlCsA95.exe, 00000000.00000003.2251372349.0000000007A5D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2260395839.0000000007A6D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2252810768.0000000007BB9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468827822.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2484811582.0000000007B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471339967.00000000079CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2437479082.00000000079AF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2442643129.0000000007B1C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486223022.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2488787566.0000000007B28000.00000004.00000020.00020000.00000000.sdmp, mBeF6fjmagbuWeb Data.10.dr, qWLSFxkgVRGKWeb Data.10.dr, CoMQhAavqDqMWeb Data.0.dr, ARK9jcv46EtQWeb Data.0.dr, JOrVCJO0eOimWeb Data.9.dr, iLf0wCBweGxDWeb Data.10.dr, ffbERgjR2VedWeb Data.29.dr, kfF3SxorO0TnWeb Data.29.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: D87fZN3R3jFeplaces.sqlite.9.dr String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.9.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: D87fZN3R3jFeplaces.sqlite.9.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: s2dwlCsA95.exe, 00000000.00000002.2416554344.0000000007A43000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381973315.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2379020101.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2653643818.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2825505075.00000000030B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/(
Source: s2dwlCsA95.exe, 00000000.00000002.2416554344.0000000007A43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/BrsF2
Source: s2dwlCsA95.exe, 00000000.00000002.2416554344.0000000007A43000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471869098.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472744212.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2488832236.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465560684.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2489757091.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470290684.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2486798860.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2491826274.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2490434178.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2491080898.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2487659427.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471486526.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2474979528.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2826478110.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467027616.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469156383.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2480668794.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2485832381.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2839636602.0000000007979000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2435031167.0000000007979000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: s2dwlCsA95.exe, 00000000.00000002.2416554344.0000000007A43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/_rhF5
Source: MPGPH131.exe, 0000000A.00000003.2631989425.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2838329907.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/v
Source: D87fZN3R3jFeplaces.sqlite.9.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: s2dwlCsA95.exe, 00000000.00000002.2416554344.0000000007A43000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471869098.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472744212.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2488832236.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465560684.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2489757091.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470290684.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2486798860.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2491826274.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2490434178.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2491080898.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2487659427.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471486526.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2474979528.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2826478110.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467027616.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469156383.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2480668794.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2485832381.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2839636602.0000000007979000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2435031167.0000000007979000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: s2dwlCsA95.exe, 00000000.00000002.2416554344.0000000007A43000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415246869.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469264055.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2653643818.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2825505075.00000000030B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2631989425.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457109129.0000000002D77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: MPGPH131.exe, 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/ata
Source: s2dwlCsA95.exe, 00000000.00000002.2416554344.0000000007A43000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471869098.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472744212.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2488832236.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465560684.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2489757091.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470290684.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2486798860.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2491826274.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2490434178.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2491080898.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2487659427.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2471486526.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2474979528.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2826478110.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467027616.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2469156383.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2480668794.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2485832381.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2839636602.0000000007979000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2435031167.0000000007979000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: s2dwlCsA95.exe, 00000000.00000002.2415246869.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/icr
Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/irefoxR
Source: MPGPH131.exe, 0000000A.00000003.2631989425.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/ktop
Source: s2dwlCsA95.exe, 00000000.00000002.2416554344.0000000007A43000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/r
Source: MPGPH131.exe, 00000009.00000003.2469264055.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2653643818.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2467134085.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2465795551.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2825505075.00000000030B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.00000000030B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472152362.00000000030B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/ss_1h8m
Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/t
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49725 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0000000A.00000002.2838613452.0000000004945000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.2838757535.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2415935130.000000000494C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001D.00000002.2847042300.00000000049A1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000009.00000002.2825664696.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000009.00000002.2825584090.000000000496E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001D.00000002.2847142038.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
One or more processes crash
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 868
Sample file is different than original file name gathered from version info
Source: s2dwlCsA95.exe, 00000000.00000002.2413832078.0000000000400000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamewpa.dll( vs s2dwlCsA95.exe
Source: s2dwlCsA95.exe, 00000000.00000003.2030911452.0000000004C50000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewpa.dll( vs s2dwlCsA95.exe
Source: s2dwlCsA95.exe, 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewpa.dll( vs s2dwlCsA95.exe
Uses 32bit PE files
Source: s2dwlCsA95.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0000000A.00000002.2838613452.0000000004945000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.2838757535.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2415935130.000000000494C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001D.00000002.2847042300.00000000049A1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000009.00000002.2825664696.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000009.00000002.2825584090.000000000496E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001D.00000002.2847142038.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@25/154@2/3
Source: C:\Users\user\Desktop\s2dwlCsA95.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7088
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6340
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6604
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5004:120:WilError_03
Source: C:\Users\user\Desktop\s2dwlCsA95.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: s2dwlCsA95.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\s2dwlCsA95.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: s2dwlCsA95.exe, 00000000.00000002.2413832078.0000000000400000.00000040.00000001.01000000.00000003.sdmp, s2dwlCsA95.exe, 00000000.00000003.2030911452.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2127621832.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2825664696.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2823048597.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2838757535.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2836396180.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2129386240.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2844660544.0000000000400000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: s2dwlCsA95.exe, 00000000.00000002.2413832078.0000000000400000.00000040.00000001.01000000.00000003.sdmp, s2dwlCsA95.exe, 00000000.00000003.2030911452.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2127621832.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2825664696.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2823048597.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2838757535.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2836396180.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2129386240.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000002.2844660544.0000000000400000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: s2dwlCsA95.exe, 00000000.00000003.2262300997.0000000007A55000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2468375045.00000000079BA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2432370448.0000000007970000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451380054.0000000007AF1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2435031167.0000000007979000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450589041.000000000797F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2434487861.0000000007981000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2499201453.0000000007B20000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2499909820.00000000079BE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000001D.00000003.2486463991.00000000079C3000.00000004.00000020.00020000.00000000.sdmp, u0mEFv0CB7P7Login Data.10.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: s2dwlCsA95.exe Virustotal: Detection: 50%
Source: s2dwlCsA95.exe ReversingLabs: Detection: 47%
Source: s2dwlCsA95.exe String found in binary or memory: hgWqb/DtEj9qyFZpPQRtkjxCKKQXcqQ+2aIkrmn9L10T0VSRCPhnioIjEhgRAIjEhiRwIjGFyMaK/eUulv3FK6RznFPxa13xzZPGcI8Ndq0kjBPDdM8VeCYp5RRM0+dYlJPh/ADd756Sj6Q6imTq57Sd6eekiPUU7JQT424emp4HFR+4gRT8o4EU/lhCaZMr2BK3bVgyhghLuqtpFxUWpFH1TBljBUZtSeGqeIIGabyB8cwBTUjVEs20rKyuHwHX6O54
Source: s2dwlCsA95.exe String found in binary or memory: 39OjbOf7id1gtxPSPZYG1tuNmOm1S4/hgieOR9hhxoxnkhYpIRFSlikhEVq5BGiibJIaRQg0hgWqb/DtEj9qyFZpPQRtkjxCKKQXcqQ+2aIkrmn9L10T0VSRCPhnioIjEhgRAIjEhiRwIjGFyMaK/eUulv3FK6RznFPxa13xzZPGcI8Ndq0kjBPDdM8VeCYp5RRM0+dYlJPh/ADd756Sj6Q6imTq57Sd6eekiPUU7JQT424emp4HFR+4gRT8o4EU/lhC
Source: s2dwlCsA95.exe String found in binary or memory: o6SnwfnNT1A862mvStouRTEPIi3saay3umbqcEKojMhF79SWNyjiKpYHVdq1e2Od4OTFHaXYmrA4aKVUmbiQ4n4+MZLmROvnJ6yzezSSPinQzhbMTdDO9znHdTFLV9oT2ILVkKv+VZz7xhndv5l59fQFVfnl4yeuSiVk+jiJVF0Mr52dH/adDcDoEL+0QvC82BBNvNfiDcOPzSbEn8KbKPFXmSz6flFNV+b2z0Z0nzAmDT941n65Rq3W6uUqPdzrn1rq
Source: s2dwlCsA95.exe String found in binary or memory: QFb4t0QHeCl3stFpWt++XwLP/MB1MA8MCfvlo8tgxZb2z/3GAkbP/Aoj8OEQvBZ6fPFYMH8Vo6SnwfnNT1A862mvStouRTEPIi3saay3umbqcEKojMhF79SWNyjiKpYHVdq1e2Od4OTFHaXYmrA4aKVUmbiQ4n4+MZLmROvnJ6yzezSSPinQzhbMTdDO9znHdTFLV9oT2ILVkKv+VZz7xhndv5l59fQFVfnl4yeuSiVk+jiJVF0Mr52dH/adDcDoEL+0
Source: MPGPH131.exe String found in binary or memory: YG1tuNmOm1S4/hgieOR9hhxoxnkhYpIRFSlikhEVq5BGiibJIaRQg0hgWqb/DtEj9qyFZpPQRtkjxCKKQXcqQ+2aIkrmn9L10T0VSRCPhnioIjEhgRAIjEhiRwIjGFyMaK/eUulv3FK6RznFPxa13xzZPGcI8Ndq0kjBPDdM8VeCYp5RRM0+dYlJPh/ADd756Sj6Q6imTq57Sd6eekiPUU7JQT424emp4HFR+4gRT8o4EU/lhCaZMr2BK3bVgyhghLuq
Source: MPGPH131.exe String found in binary or memory: ++XwLP/MB1MA8MCfvlo8tgxZb2z/3GAkbP/Aoj8OEQvBZ6fPFYMH8Vo6SnwfnNT1A862mvStouRTEPIi3saay3umbqcEKojMhF79SWNyjiKpYHVdq1e2Od4OTFHaXYmrA4aKVUmbiQ4n4+MZLmROvnJ6yzezSSPinQzhbMTdDO9znHdTFLV9oT2ILVkKv+VZz7xhndv5l59fQFVfnl4yeuSiVk+jiJVF0Mr52dH/adDcDoEL+0QvC82BBNvNfiDcOPzS
Source: C:\Users\user\Desktop\s2dwlCsA95.exe File read: C:\Users\user\Desktop\s2dwlCsA95.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\s2dwlCsA95.exe "C:\Users\user\Desktop\s2dwlCsA95.exe"
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 868
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 960
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1008
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1008
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 984
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1384
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1016
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 812
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6340 -s 780
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1872
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1908
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 900
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6340 -s 872
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6604 -s 1876
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7088 -s 932
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dpapi.dll
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Unpacked PE file: 0.2.s2dwlCsA95.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 10.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 29.2.RageMP131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Unpacked PE file: 0.2.s2dwlCsA95.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 10.2.MPGPH131.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 29.2.RageMP131.exe.400000.0.unpack
Drops PE files
Source: C:\Users\user\Desktop\s2dwlCsA95.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\Desktop\s2dwlCsA95.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\s2dwlCsA95.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\s2dwlCsA95.exe TID: 1248 Thread sleep count: 62 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3180 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3180 Thread sleep count: 49 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5064 Thread sleep count: 83 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5064 Thread sleep count: 32 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Windows\SysWOW64\IMM32.DLL Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Windows\SysWOW64\ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Windows\SysWOW64\oleaut32.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Windows\SysWOW64\msimg32.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_d94bc80de1097097\gdiplus.dll Jump to behavior
Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: formVMware20,11696428655
Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ccount.microsoft.com/profileVMware20,11696428655u
Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CT service, encrypted_token FROM token_servicerr global passwords blocklistVMware20,11696428655
Source: MPGPH131.exe, 0000000A.00000003.2445188066.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2450794462.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2451747613.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457593029.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454124190.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2445938755.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2452732418.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2457109129.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2454661731.0000000002D77000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2453591148.0000000002D78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBn
Source: RageMP131.exe, 0000001D.00000003.2508615965.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696
Source: RageMP131.exe, 0000001D.00000003.2508615965.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .comVMware20,11696428
Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r global passwords blocklistVMware20,11696428655
Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002E88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: Amcache.hve.8.dr Binary or memory string: vmci.sys
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: s2dwlCsA95.exe, 00000000.00000002.2415246869.0000000002EFF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8T
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: RageMP131.exe, 0000001D.00000003.2508615965.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ebrokers.co.inVMware20,11696428655d
Source: Amcache.hve.8.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual RAM
Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\*
Source: Amcache.hve.8.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: s2dwlCsA95.exe, MPGPH131.exe Binary or memory string: hgFsatiaOZiP5ud66KrfNQakFogGwqi01OGshxNLlXk75qdnYqEmja4bFX50KvIXsUhbKrnbOpHRo5rei0yg1qt3msWkBojOykFtdII2ep8Ti5TC6idfMCnds9Npph6Fqyu1pQe3o5O3p7yYZqcVUtG1R0ejStP9RHuhTF0KXntOn9xGOgHsABEhd4KFsN9MvtQZdJWYqjSF1BtshZUYEEghs8BkuMryRbq1kaSnMG0jvJhXLWSsyBzLkeFQZDuwCEck
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual USB Mouse
Source: MPGPH131.exe, 00000009.00000002.2824634591.0000000003027000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: discord.comVMware20,11696428655f
Source: RageMP131.exe, 0000001D.00000003.2278848725.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.8.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Amcache.hve.8.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rootpagecomVMware20,11696428655o
Source: RageMP131.exe, 0000001D.00000003.2508615965.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s.portal.azure.comVMware20,11696428655
Source: Amcache.hve.8.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr Binary or memory string: vmci.syshbin`
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.8.dr Binary or memory string: \driver\vmci,\driver\pci
Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pageformVMware20,11696428655
Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \?\scsi_vmwaretual_dif219&0&3f563070-94f2-b8b}
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: MPGPH131.exe, 00000009.00000002.2825505075.00000000030B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}FilesPSModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,116968h
Source: RageMP131.exe, 0000001D.00000003.2508615965.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: billing_address_id.comVMware20,11696428
Source: Amcache.hve.8.dr Binary or memory string: VMware
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: MPGPH131.exe Binary or memory string: ehgFsatiaOZiP5ud66KrfNQakFogGwqi01OGshxNLlXk75qdnYqEmja4bFX50KvIXsUhbKrnbOpHRo5rei0yg1qt3msWkBojOykFtdII2ep8Ti5TC6idfMCnds9Npph6Fqyu1pQe3o5O3p7yYZqcVUtG1R0ejStP9RHuhTF0KXntOn9xGOgHsABEhd4KFsN9MvtQZdJWYqjSF1BtshZUYEEghs8BkuMryRbq1kaSnMG0jvJhXLWSsyBzLkeFQZDuwCEc
Source: RageMP131.exe, 0000001D.00000003.2719533978.00000000079CB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@
Source: RageMP131.exe, 0000001D.00000003.2508615965.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .utiitsl.comVMware20,1169642865
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.8.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MPGPH131.exe, 0000000A.00000003.2630559206.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}g\
Source: s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381973315.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2379020101.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2472850926.0000000003060000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2824634591.0000000003045000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2470463401.0000000003060000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: MPGPH131.exe, 0000000A.00000002.2838329907.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_A8AFF657T
Source: MPGPH131.exe, 0000000A.00000003.2182907727.0000000002D58000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}`M
Source: RageMP131.exe, 0000001D.00000003.2278848725.0000000002EA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}a\*
Source: Amcache.hve.8.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,1169642865
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: RageMP131.exe, 0000001D.00000003.2508615965.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,116`e
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: RageMP131.exe, 0000001D.00000003.2508615965.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nickname.utiitsl.comVMware20,1169642865
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.8.dr Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: RageMP131.exe, 0000001D.00000003.2508615965.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ra Change Transaction PasswordVMware20,11696428655
Source: Amcache.hve.8.dr Binary or memory string: VMware VMCI Bus Device
Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: o.inVMware20,11696428655~
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.8.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: RageMP131.exe, 0000001D.00000002.2846896933.0000000002F22000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_A8AFF657
Source: s2dwlCsA95.exe, 00000000.00000002.2416743946.0000000007C36000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}rtjjegpclfi
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.8.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: s2dwlCsA95.exe Binary or memory string: +fO7ouTkHRIuiYlHQ5jkXRAOj+SDkmHpEPStTzpBpB0SLrWJh1O2CHpgHT9SDokXWuT7k/o0zmFdI+5yZXyfjdDVtvdBCKQMC7RUN74ZnXXnXfhxjfIuiZlHWLOEZh7yU2OUXaC0KOu1lA7guRD8jUl+YL/jV4e4s8Af3Yf0SL+EH9Nir8/I/6cgr8AuehgFsatiaOZiP5ud66KrfNQakFogGwqi01OGshxNLlXk75qdnYqEmja4bFX50KvIXsUhbKrn
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696428655
Source: MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D4E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b:o8
Source: MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}*9zo
Source: RageMP131.exe, 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _vmware
Source: Amcache.hve.8.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: s2dwlCsA95.exe, 00000000.00000002.2416554344.0000000007A00000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}x
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: comVMware20,11696428655o
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.8.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: AwY3wK8EalbzWeb Data.29.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: MPGPH131.exe Binary or memory string: akS6ApEPStTbp3vENJJ1DSPeUmxwyIl3NG9og8hB5TYq8dyLynII8M+fO7ouTkHRIuiYlHQ5jkXRAOj+SDkmHpEPStTzpBpB0SLrWJh1O2CHpgHT9SDokXWuT7k/o0zmFdI+5yZXyfjdDVtvdBCKQMC7RUN74ZnXXnXfhxjfIuiZlHWLOEZh7yU2OUXaC0KOu1lA7guRD8jUl+YL/jV4e4s8Af3Yf0SL+EH9Nir8/I/6cgr8AuehgFsatiaOZiP5ud66
Source: Amcache.hve.8.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RageMP131.exe, 0000001D.00000003.2510965823.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.8.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381973315.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2379020101.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, s2dwlCsA95.exe, 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: MPGPH131.exe, 0000000A.00000002.2837741702.0000000002D43000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: MPGPH131.exe Binary or memory string: kS6ApEPStTbp3vENJJ1DSPeUmxwyIl3NG9og8hB5TYq8dyLynII8M+fO7ouTkHRIuiYlHQ5jkXRAOj+SDkmHpEPStTzpBpB0SLrWJh1O2CHpgHT9SDokXWuT7k/o0zmFdI+5yZXyfjdDVtvdBCKQMC7RUN74ZnXXnXfhxjfIuiZlHWLOEZh7yU2OUXaC0KOu1lA7guRD8jUl+YL/jV4e4s8Af3Yf0SL+EH9Nir8/I/6cgr8AuehgFsatiaOZiP5ud66K
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.8.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 9.2.MPGPH131.exe.4a30e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.MPGPH131.exe.4b90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.RageMP131.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.s2dwlCsA95.exe.4af0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.s2dwlCsA95.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.MPGPH131.exe.4b60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.RageMP131.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.RageMP131.exe.4bc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.MPGPH131.exe.4a00e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.RageMP131.exe.4a60e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.s2dwlCsA95.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.s2dwlCsA95.exe.4c50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001D.00000002.2847854867.00000000079CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2839912338.0000000007B0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.2719158457.00000000079C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2380582113.0000000002F1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2380919991.0000000002F1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2413832078.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2415246869.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2838757535.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2127621832.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2631101956.0000000007983000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2630742381.0000000007983000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2839750203.0000000007987000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2847854867.00000000079AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2030911452.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.2719409895.00000000079C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.2719285122.00000000079C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2836396180.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2630813730.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2631558554.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.2719533978.00000000079CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2381605815.0000000002F1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2631457958.0000000007983000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2631172078.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2415707420.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2416554344.0000000007A00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2632111137.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2826478110.000000000796A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2631820625.0000000007987000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2844660544.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2846157398.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2825664696.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2826478110.00000000079AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2847142038.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.2229476539.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2129386240.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2823048597.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: s2dwlCsA95.exe PID: 6604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7088, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6340, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\CaUaqkY92GovL9TcuRMGkgg.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Aso5djWiC8bybG6teNs2YR5.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\9EaqYGrOoLZGqTHtmnARfPr.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\M3KUyMMJ1wTzBxomWRvBAGK.zip, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: s2dwlCsA95.exe, 00000000.00000002.2415246869.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: s2dwlCsA95.exe, 00000000.00000002.2415246869.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Jaxx\Local Storage
Source: s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: s2dwlCsA95.exe, 00000000.00000003.2380441433.0000000007C2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: s2dwlCsA95.exe, 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: s2dwlCsA95.exe, 00000000.00000003.2380441433.0000000007C2F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: s2dwlCsA95.exe, 00000000.00000002.2415246869.0000000002EF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: s2dwlCsA95.exe, 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: MPGPH131.exe, 00000009.00000002.2826478110.0000000007960000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\formhistory.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\places.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\signons.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.json
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\s2dwlCsA95.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\s2dwlCsA95.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 0000001D.00000002.2846157398.0000000002ED1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2837741702.0000000002D73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2380582113.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2378809167.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2381973315.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2379020101.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2381605815.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2380919991.0000000002F26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2415767613.0000000002F2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2824634591.0000000003060000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: s2dwlCsA95.exe PID: 6604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7088, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6340, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 9.2.MPGPH131.exe.4a30e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.3.MPGPH131.exe.4b90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.RageMP131.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.s2dwlCsA95.exe.4af0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.s2dwlCsA95.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.MPGPH131.exe.4b60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.RageMP131.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.3.RageMP131.exe.4bc0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.MPGPH131.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.MPGPH131.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.MPGPH131.exe.4a00e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.RageMP131.exe.4a60e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.s2dwlCsA95.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.s2dwlCsA95.exe.4c50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001D.00000002.2847854867.00000000079CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2839912338.0000000007B0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.2719158457.00000000079C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2380582113.0000000002F1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2380919991.0000000002F1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2413832078.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2415246869.0000000002EAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2838757535.0000000004A00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2127621832.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2631101956.0000000007983000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2630742381.0000000007983000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2839750203.0000000007987000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2847854867.00000000079AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2030911452.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.2719409895.00000000079C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.2719285122.00000000079C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2836396180.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2630813730.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2631558554.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.2719533978.00000000079CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2381605815.0000000002F1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2416082806.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2631457958.0000000007983000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2631172078.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2415707420.0000000002F1D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2416554344.0000000007A00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2632111137.0000000007B0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2826478110.000000000796A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2631820625.0000000007987000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2844660544.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2846157398.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2825664696.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2826478110.00000000079AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2847142038.0000000004A60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.2229476539.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2129386240.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2823048597.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: s2dwlCsA95.exe PID: 6604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7088, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6340, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\CaUaqkY92GovL9TcuRMGkgg.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Aso5djWiC8bybG6teNs2YR5.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\9EaqYGrOoLZGqTHtmnARfPr.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\M3KUyMMJ1wTzBxomWRvBAGK.zip, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428546 Sample: s2dwlCsA95.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 53 ipinfo.io 2->53 55 db-ip.com 2->55 63 Snort IDS alert for network traffic 2->63 65 Multi AV Scanner detection for domain / URL 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 5 other signatures 2->69 8 s2dwlCsA95.exe 1 63 2->8         started        13 MPGPH131.exe 56 2->13         started        15 RageMP131.exe 2->15         started        17 MPGPH131.exe 56 2->17         started        signatures3 process4 dnsIp5 57 147.45.47.93, 49704, 49707, 49708 FREE-NET-ASFREEnetEU Russian Federation 8->57 59 ipinfo.io 34.117.186.192, 443, 49705, 49715 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->59 61 db-ip.com 172.67.75.166, 443, 49706, 49718 CLOUDFLARENETUS United States 8->61 41 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->41 dropped 43 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->43 dropped 45 C:\Users\user\...\Aso5djWiC8bybG6teNs2YR5.zip, Zip 8->45 dropped 71 Detected unpacking (changes PE section rights) 8->71 73 Detected unpacking (overwrites its own PE header) 8->73 75 Tries to steal Mail credentials (via file / registry access) 8->75 77 Uses schtasks.exe or at.exe to add and modify task schedules 8->77 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        23 WerFault.exe 19 16 8->23         started        35 9 other processes 8->35 47 C:\Users\user\...\CaUaqkY92GovL9TcuRMGkgg.zip, Zip 13->47 dropped 79 Multi AV Scanner detection for dropped file 13->79 81 Machine Learning detection for dropped file 13->81 83 Found many strings related to Crypto-Wallets (likely being stolen) 13->83 25 WerFault.exe 13->25         started        27 WerFault.exe 13->27         started        29 WerFault.exe 13->29         started        49 C:\Users\user\...\9EaqYGrOoLZGqTHtmnARfPr.zip, Zip 15->49 dropped 85 Tries to harvest and steal browser information (history, passwords, etc) 15->85 51 C:\Users\user\...\M3KUyMMJ1wTzBxomWRvBAGK.zip, Zip 17->51 dropped 31 WerFault.exe 17->31         started        33 WerFault.exe 17->33         started        file6 signatures7 process8 process9 37 conhost.exe 19->37         started        39 conhost.exe 21->39         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
147.45.47.93
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
172.67.75.166
 db-ip.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
db-ip.com 172.67.75.166 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ipinfo.io/widget/demo/81.181.57.52 false
    		high
    https://db-ip.com/demo/home.php?s=81.181.57.52 false
      		high