Windows Analysis Report
ygm2mXUReY.exe

Overview

General Information

Sample name:	ygm2mXUReY.exe renamed because original name is a hash value
Original sample name:	d668244429e4a7a0b205b2ce843b9663.exe
Analysis ID:	1429359
MD5:	d668244429e4a7a0b205b2ce843b9663
SHA1:	dd8aee62f445db5649840f9ffb8cb33d304254f3
SHA256:	ef09750219f549d293572aedb0f593ef6c4a74ac77bb99950ca8b5a91377ab89
Tags:	32exetrojan
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected RisePro Stealer

Connects to many ports of the same IP (likely port scanning)

Found API chain indicative of sandbox detection

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Yara detected Credential Stealer

Yara signature match

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ygm2mXUReY.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://193.233.132.167/cost/lenin.exe

URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe

Avira: detection malicious, Label: HEUR/AGEN.1313019

Multi AV Scanner detection for domain / URL

Source: http://193.233.132.167/cost/lenin.exeepro	Virustotal: Detection: 24%	Perma Link
Source: http://193.233.132.167/cost/go.exe	Virustotal: Detection: 24%	Perma Link
Source: http://193.233.132.167/cost/go.exeadka.ex	Virustotal: Detection: 24%	Perma Link
Source: http://193.233.132.167/cost/lenin.exe0	Virustotal: Detection: 23%	Perma Link
Source: http://147.45.47.102:57893/hera/amadka.exe	Virustotal: Detection: 18%	Perma Link
Source: http://147.45.47.102:57893/hera/amadka.exea	Virustotal: Detection: 15%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 36%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Virustotal: Detection: 39%	Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Virustotal: Detection: 39%	Perma Link

Multi AV Scanner detection for submitted file

Source: ygm2mXUReY.exe

Virustotal: Detection: 39%

Perma Link

Machine Learning detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: ygm2mXUReY.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Code function: 0_2_004D1240 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,

0_2_004D1240

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Unpacked PE file: 0.2.ygm2mXUReY.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 10.2.MPGPH131.exe.400000.0.unpack

Uses 32bit PE files

Source: ygm2mXUReY.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49725 version: TLS 1.2

Source:	Binary string: ]C:\wedigi\reciforeb\tetuguhuc\y.pdb source: ygm2mXUReY.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr
Source:	Binary string: C:\wedigi\reciforeb\tetuguhuc\y.pdb source: ygm2mXUReY.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004D0620 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	0_2_004D0620
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004F2870 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	0_2_004F2870
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0042C82B FindClose,FindFirstFileExW,GetLastError,	0_2_0042C82B

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ygm2mXUReY.exe_65396d3389e0d0bfd23059c0a7ad776d4579bbf9_66eab1d0_2bf57861-c4ef-4b8b-97e9-ae95bb3c92d5\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_1695d586fe6dcb3fc26aa419f17677af41dbbd72_05789ee0_782df4d4-a9ed-4ef0-9c2b-b94a67192a7b\

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49705 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49705
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49705
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49705 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49706
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49706
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49708
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49706 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49708 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49715
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49715 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49723
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49723
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49723 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2049661 ET TROJAN RisePro CnC Activity (Inbound) 192.168.2.5:49723 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046270 ET TROJAN [ANY.RUN] RisePro TCP (Exfiltration) 192.168.2.5:49723 -> 147.45.47.93:58709

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 147.45.47.93:58709

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 147.45.47.93 147.45.47.93
Source: Joe Sandbox View	IP Address: 172.67.75.166 172.67.75.166

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

May check the online IP address of the machine

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Code function: 0_2_004D3150 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,freeaddrinfo,WSACleanup,freeaddrinfo,

0_2_004D3150

Source: global traffic	HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown

DNS traffic detected: queries for: ipinfo.io

Source: ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe&
Source: MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeA
Source: MPGPH131.exe, 00000009.00000003.2442056915.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.0000000004371000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exea
Source: ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.167/cost/go.exe
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.167/cost/go.exe.52
Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.167/cost/go.exeadka.ex
Source: MPGPH131.exe, 00000009.00000003.2442056915.0000000004371000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.167/cost/go.exeate
Source: ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.167/cost/go.exeda1t
Source: ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.167/cost/lenin.exe
Source: MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.167/cost/lenin.exe0
Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.167/cost/lenin.exeepro
Source: ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.167/cost/lenin.exeoina
Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: ygm2mXUReY.exe, 00000000.00000002.2413162518.000000000427D000.00000040.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590308249.0000000004656000.00000040.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607833266.00000000046C3000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibD
Source: MPGPH131.exe, 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2178291011.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52?F
Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52U
Source: MPGPH131.exe, 00000009.00000003.2178291011.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/dx
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2178291011.0000000004326000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52
Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MPGPH131.exe, 0000000A.00000002.2607017449.000000000442E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.000000000445F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: ygm2mXUReY.exe, 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, ygm2mXUReY.exe, 00000000.00000003.2008770227.0000000006070000.00000004.00001000.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414862397.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590418032.0000000005FE0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2045834607.0000000006180000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2587702238.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2046639199.00000000060D0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2604776514.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Content-Type:
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043DC000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043DC000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043DD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.000000000446A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: MPGPH131.exe, 00000009.00000002.2589750462.00000000042C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/l
Source: ygm2mXUReY.exe, 00000000.00000002.2413282182.00000000043B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/rb
Source: ygm2mXUReY.exe, 00000000.00000002.2413282182.00000000043AD000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2413282182.00000000043D5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2589750462.00000000042DB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.000000000446A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.000000000443E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52
Source: ygm2mXUReY.exe, 00000000.00000002.2413282182.00000000043AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52=J
Source: MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52a9
Source: MPGPH131.exe, 0000000A.00000002.2607017449.000000000443E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52e
Source: ygm2mXUReY.exe, 00000000.00000002.2413282182.0000000004393000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/z=
Source: ygm2mXUReY.exe, 00000000.00000002.2413282182.00000000043D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52
Source: MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52(
Source: MPGPH131.exe, 0000000A.00000002.2607017449.000000000446A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52?
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: ygm2mXUReY.exe, 00000000.00000002.2415576693.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2413282182.000000000435E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2589750462.000000000428E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.00000000043F8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2439521788.0000000008E04000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2608848110.0000000008E08000.00000004.00000020.00020000.00000000.sdmp, SZDEAvOWuc1j5blWLO4H6aA.zip.0.dr, dxTuy4jPkMDKvqGzbwvO8nc.zip.10.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2439521788.0000000008E04000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2608848110.0000000008E08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTV
Source: MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTd
Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2608848110.0000000008E08000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.10.dr, passwords.txt.0.dr	String found in binary or memory: https://t.me/risepro_bot
Source: MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot-
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot6F
Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot9
Source: MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botl
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botrisepro
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot~Fxt
Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: ygm2mXUReY.exe, 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, ygm2mXUReY.exe, 00000000.00000003.2008770227.0000000006070000.00000004.00001000.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414862397.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590418032.0000000005FE0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2045834607.0000000006180000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2587702238.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2046639199.00000000060D0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2604776514.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: ygm2mXUReY.exe, 00000000.00000003.2221967166.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: ygm2mXUReY.exe, 00000000.00000003.2220067370.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2214238152.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2224382558.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2212085169.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2214654072.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2219193682.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220945859.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220398763.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2221967166.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2210682091.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2217585171.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2223890985.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2294441713.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2274481125.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2280241970.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2275529201.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2289744340.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/N
Source: ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/n
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: ygm2mXUReY.exe, 00000000.00000003.2220067370.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2214238152.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2224382558.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2212085169.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2214654072.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2219193682.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220945859.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220398763.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2221967166.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2210682091.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2217585171.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2223890985.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2294441713.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2274481125.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2280241970.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2275529201.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2289744340.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: ygm2mXUReY.exe, 00000000.00000003.2217585171.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2212085169.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220067370.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2214654072.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2214238152.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2210682091.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2219193682.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2224382558.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2223890985.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220945859.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220398763.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2221967166.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004371000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/6)
Source: MPGPH131.exe, 00000009.00000002.2590179683.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004371000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/atata
Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/eG
Source: ygm2mXUReY.exe, 00000000.00000003.2220067370.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2214238152.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2224382558.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2212085169.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2214654072.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2219193682.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220945859.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220398763.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2221967166.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2210682091.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2217585171.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2223890985.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2294441713.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2274481125.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2280241970.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2275529201.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2289744340.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49725 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Code function: 0_2_004F2150 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown,

0_2_004F2150

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2413162518.000000000427D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.2607833266.00000000046C3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000009.00000002.2590308249.0000000004656000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000009.00000002.2590418032.0000000005FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2414862397.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Detected potential crypto function

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045504E	0_2_0045504E
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045B010	0_2_0045B010
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0049D110	0_2_0049D110
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_005041A0	0_2_005041A0
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004091BF	0_2_004091BF
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0040D468	0_2_0040D468
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0040E58B	0_2_0040E58B
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004F6660	0_2_004F6660
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004CC610	0_2_004CC610
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004B36B0	0_2_004B36B0
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045A790	0_2_0045A790
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004DF790	0_2_004DF790
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004DB860	0_2_004DB860
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0043A8BD	0_2_0043A8BD
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_00506920	0_2_00506920
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_005209F0	0_2_005209F0
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0054B990	0_2_0054B990
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0040CA55	0_2_0040CA55
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_00453C30	0_2_00453C30
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_00506DD0	0_2_00506DD0
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0042A040	0_2_0042A040
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0044F050	0_2_0044F050
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_00409010	0_2_00409010
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004FC0A0	0_2_004FC0A0
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004FB0A0	0_2_004FB0A0
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_005040A0	0_2_005040A0
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_00510140	0_2_00510140
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_00553170	0_2_00553170

One or more processes crash

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 796

Sample file is different than original file name gathered from version info

Source: ygm2mXUReY.exe, 00000000.00000003.2023742197.00000000043B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFires( vs ygm2mXUReY.exe
Source: ygm2mXUReY.exe, 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs ygm2mXUReY.exe
Source: ygm2mXUReY.exe, 00000000.00000003.2023118340.00000000043AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFires( vs ygm2mXUReY.exe
Source: ygm2mXUReY.exe, 00000000.00000003.2008770227.0000000006070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs ygm2mXUReY.exe
Source: ygm2mXUReY.exe, 00000000.00000000.2007505852.00000000040D8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFires( vs ygm2mXUReY.exe
Source: ygm2mXUReY.exe, 00000000.00000002.2414862397.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs ygm2mXUReY.exe
Source: ygm2mXUReY.exe	Binary or memory string: OriginalFilenameFires( vs ygm2mXUReY.exe

Uses 32bit PE files

Source: ygm2mXUReY.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2413162518.000000000427D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.2607833266.00000000046C3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000009.00000002.2590308249.0000000004656000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000009.00000002.2590418032.0000000005FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2414862397.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@24/114@2/3

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4268:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess736
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1672
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5504

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Jump to behavior

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Command line argument: 131	0_2_00453C30
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Command line argument: 131	0_2_00453C30
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Command line argument: Dk43l_dwmk438*	0_2_00453C30

Source: ygm2mXUReY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ygm2mXUReY.exe, 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, ygm2mXUReY.exe, 00000000.00000003.2008770227.0000000006070000.00000004.00001000.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414862397.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590418032.0000000005FE0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2045834607.0000000006180000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2587702238.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2046639199.00000000060D0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2604776514.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: ygm2mXUReY.exe, 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, ygm2mXUReY.exe, 00000000.00000003.2008770227.0000000006070000.00000004.00001000.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414862397.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590418032.0000000005FE0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2045834607.0000000006180000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2587702238.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2046639199.00000000060D0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2604776514.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: ygm2mXUReY.exe, 00000000.00000003.2212874316.000000000901F000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2211674747.0000000008E29000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220253774.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2290422412.0000000008F8F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2290821951.0000000008E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277951869.0000000008E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2275318920.0000000008E29000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2263800079.0000000008DFF000.00000004.00000020.00020000.00000000.sdmp, TMHi1BjWgM9QLogin Data.0.dr, u7JVJIshcVUFLogin Data.10.dr, D_PqPMh3t76fLogin Data.0.dr, BvIYddkfIBauLogin Data.10.dr, MRFQeKpv_Q9HLogin Data For Account.10.dr, e1b5ormmlkNOLogin Data For Account.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: ygm2mXUReY.exe

Virustotal: Detection: 39%

Source: MPGPH131.exe	String found in binary or memory: ROvnJ6yzezSSPinQzhbMTdDO9znHdTFLV9oT2ILVkKv+VZz7xhndv5l59fQFVfnl4yeuSiVk+jiJVF0Mr52dH/adDcDoEL+0QvC82BBNvNfiDcOPzSbEn8KbKPFXmSz6flFNV+b2z0Z0nzAmDT941n65Rq3W6uUqPdzrn1rqo0ZhPNJhXpCbZX4iwhntgZ3otzlgZDLr9Rw4cWO50llt0fwf/3t/Dz/sxu8AwucBCw+oPWuv7MeffgtNZPWDfX7CNVSU
Source: MPGPH131.exe	String found in binary or memory: a13xzZPGcI8Ndq0kjBPDdM8VeCYp5RRM0+dYlJPh/ADd756Sj6Q6imTq57Sd6eekiPUU7JQT424emp4HFR+4gRT8o4EU/lhCaZMr2BK3bVgyhghLuqtpFxUWpFH1TBljBUZtSeGqeIIGabyB8cwBTUjVEs20rKyuHwHX6O548RE8iltT+VTZlg+tVd+qZNsjAr1Wwebo4o0Uqm7NVKZuzRSGXtgpNJUYaQSRqpJNFKNhTpKS0aI5UeXEIsQS6nDEkuZC
Source: MPGPH131.exe	String found in binary or memory: CQFb4t0QHeCl3stFpWt++XwLP/MB1MA8MCfvlo8tgxZb2z/3GAkbP/Aoj8OEQvBZ6fPFYMH8Vo6SnwfnNT1A862mvStouRTEPIi3saay3umbqcEKojMhF79SWNyjiKpYHVdq1e2Od4OTFHaXYmrA4aKVUmbiQ4n4+MZLmROvnJ6yzezSSPinQzhbMTdDO9znHdTFLV9oT2ILVkKv+VZz7xhndv5l59fQFVfnl4yeuSiVk+jiJVF0Mr52dH/adDcDoEL+
Source: MPGPH131.exe	String found in binary or memory: s39OjbOf7id1gtxPSPZYG1tuNmOm1S4/hgieOR9hhxoxnkhYpIRFSlikhEVq5BGiibJIaRQg0hgWqb/DtEj9qyFZpPQRtkjxCKKQXcqQ+2aIkrmn9L10T0VSRCPhnioIjEhgRAIjEhiRwIjGFyMaK/eUulv3FK6RznFPxa13xzZPGcI8Ndq0kjBPDdM8VeCYp5RRM0+dYlJPh/ADd756Sj6Q6imTq57Sd6eekiPUU7JQT424emp4HFR+4gRT8o4EU/lh
Source: MPGPH131.exe	String found in binary or memory: v+VZz7xhndv5l59fQFVfnl4yeuSiVk+jiJVF0Mr52dH/adDcDoEL+0QvC82BBNvNfiDcOPzSbEn8KbKPFXmSz6flFNV+b2z0Z0nzAmDT941n65Rq3W6uUqPdzrn1rqo0ZhPNJhXpCbZX4iwhntgZ3otzlgZDLr9Rw4cWO50llt0fwf/3t/Dz/sxu8AwucBCw+oPWuv7MeffgtNZPWDfX7CNVSU8C93PFaSKTCRGfOwVhvm6YJ8mui7JpEDwSkHwrycH0
Source: MPGPH131.exe	String found in binary or memory: S4/hgieOR9hhxoxnkhYpIRFSlikhEVq5BGiibJIaRQg0hgWqb/DtEj9qyFZpPQRtkjxCKKQXcqQ+2aIkrmn9L10T0VSRCPhnioIjEhgRAIjEhiRwIjGFyMaK/eUulv3FK6RznFPxa13xzZPGcI8Ndq0kjBPDdM8VeCYp5RRM0+dYlJPh/ADd756Sj6Q6imTq57Sd6eekiPUU7JQT424emp4HFR+4gRT8o4EU/lhCaZMr2BK3bVgyhghLuqtpFxUWpFH1

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

File read: C:\Users\user\Desktop\ygm2mXUReY.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ygm2mXUReY.exe "C:\Users\user\Desktop\ygm2mXUReY.exe"
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 796
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 952
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 984
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 992
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 1056
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 800
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 772
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 1380
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 896
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 1388
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 900
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 916
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 912
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 948
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 1100
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msimg32.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msvcr100.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: vaultcli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dpapi.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: ygm2mXUReY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ]C:\wedigi\reciforeb\tetuguhuc\y.pdb source: ygm2mXUReY.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr
Source:	Binary string: C:\wedigi\reciforeb\tetuguhuc\y.pdb source: ygm2mXUReY.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Unpacked PE file: 0.2.ygm2mXUReY.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 10.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Unpacked PE file: 0.2.ygm2mXUReY.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 10.2.MPGPH131.exe.400000.0.unpack

Drops PE files

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe			Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Evasive API call chain: GetPEB, DecisionNodes, Sleep

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,

0_2_0045A5C0

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\ygm2mXUReY.exe TID: 3192	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1856	Thread sleep count: 101 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1856	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4432	Thread sleep count: 101 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004D0620 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	0_2_004D0620
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004F2870 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	0_2_004F2870
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0042C82B FindClose,FindFirstFileExW,GetLastError,	0_2_0042C82B

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ygm2mXUReY.exe_65396d3389e0d0bfd23059c0a7ad776d4579bbf9_66eab1d0_2bf57861-c4ef-4b8b-97e9-ae95bb3c92d5\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_1695d586fe6dcb3fc26aa419f17677af41dbbd72_05789ee0_782df4d4-a9ed-4ef0-9c2b-b94a67192a7b\

Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWu
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: formVMware20,11696428655
Source: MPGPH131.exe, 00000009.00000003.2296684755.0000000008F93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,1169642865p
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ccount.microsoft.com/profileVMware20,11696428655u
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CT service, encrypted_token FROM token_servicerr global passwords blocklistVMware20,11696428655
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r global passwords blocklistVMware20,11696428655
Source: ygm2mXUReY.exe, 00000000.00000002.2415576693.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}gramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows8ZAAAA``I
Source: ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_92579849:FTt_
Source: MPGPH131.exe, 00000009.00000003.2292406288.0000000008F8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,11696428655
Source: MPGPH131.exe, 0000000A.00000002.2607017449.00000000043F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: ygm2mXUReY.exe, 00000000.00000002.2413282182.0000000004350000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000IFIER=Intel64 Family 6 Model @
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: MPGPH131.exe, 00000009.00000003.2292406288.0000000008F8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CT name, value FROM autofillmain'.sqlite_masterr global passwords blocklistVMware20,11696428655
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\*
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: MPGPH131.exe	Binary or memory string: hgFsatiaOZiP5ud66KrfNQakFogGwqi01OGshxNLlXk75qdnYqEmja4bFX50KvIXsUhbKrnbOpHRo5rei0yg1qt3msWkBojOykFtdII2ep8Ti5TC6idfMCnds9Npph6Fqyu1pQe3o5O3p7yYZqcVUtG1R0ejStP9RHuhTF0KXntOn9xGOgHsABEhd4KFsN9MvtQZdJWYqjSF1BtshZUYEEghs8BkuMryRbq1kaSnMG0jvJhXLWSsyBzLkeFQZDuwCEck
Source: MPGPH131.exe	Binary or memory string: uehgFsatiaOZiP5ud66KrfNQakFogGwqi01OGshxNLlXk75qdnYqEmja4bFX50KvIXsUhbKrnbOpHRo5rei0yg1qt3msWkBojOykFtdII2ep8Ti5TC6idfMCnds9Npph6Fqyu1pQe3o5O3p7yYZqcVUtG1R0ejStP9RHuhTF0KXntOn9xGOgHsABEhd4KFsN9MvtQZdJWYqjSF1BtshZUYEEghs8BkuMryRbq1kaSnMG0jvJhXLWSsyBzLkeFQZDuwCE
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: MPGPH131.exe, 0000000A.00000003.2276920774.0000000008E2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PasswordVMware20,1169642
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: MPGPH131.exe, 0000000A.00000003.2089367371.0000000004458000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000009.00000003.2442940053.0000000004371000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_92579849m
Source: MPGPH131.exe, 00000009.00000003.2296684755.0000000008F93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,116
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: MPGPH131.exe, 00000009.00000003.2296684755.0000000008F93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428x
Source: ygm2mXUReY.exe, 00000000.00000003.2044956721.00000000043C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}P
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rootpagecomVMware20,11696428655o
Source: Amcache.hve.8.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pageformVMware20,11696428655
Source: MPGPH131.exe, 0000000A.00000003.2276920774.0000000008E2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zure.comVMware20,1169642
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: MPGPH131.exe, 0000000A.00000002.2607583034.00000000044DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_92579849
Source: MPGPH131.exe, 0000000A.00000003.2276920774.0000000008E2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ansaction PasswordVMware6
Source: MPGPH131.exe, 00000009.00000003.2292406288.0000000008F8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696 T
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: MPGPH131.exe	Binary or memory string: ehgFsatiaOZiP5ud66KrfNQakFogGwqi01OGshxNLlXk75qdnYqEmja4bFX50KvIXsUhbKrnbOpHRo5rei0yg1qt3msWkBojOykFtdII2ep8Ti5TC6idfMCnds9Npph6Fqyu1pQe3o5O3p7yYZqcVUtG1R0ejStP9RHuhTF0KXntOn9xGOgHsABEhd4KFsN9MvtQZdJWYqjSF1BtshZUYEEghs8BkuMryRbq1kaSnMG0jvJhXLWSsyBzLkeFQZDuwCEc
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}<
Source: ygm2mXUReY.exe, 00000000.00000002.2413282182.00000000043B1000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2589750462.00000000042DF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004325000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MPGPH131.exe	Binary or memory string: CKQMC7RUN74ZnXXnXfhxjfIuiZlHWLOEZh7yU2OUXaC0KOu1lA7guRD8jUl+YL/jV4e4s8Af3Yf0SL+EH9Nir8/I/6cgr8AuehgFsatiaOZiP5ud66KrfNQakFogGwqi01OGshxNLlXk75qdnYqEmja4bFX50KvIXsUhbKrnbOpHRo5rei0yg1qt3msWkBojOykFtdII2ep8Ti5TC6idfMCnds9Npph6Fqyu1pQe3o5O3p7yYZqcVUtG1R0ejStP9RHu
Source: MPGPH131.exe, 00000009.00000002.2589750462.0000000004280000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&T9
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: MPGPH131.exe, 0000000A.00000003.2089367371.0000000004458000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000009.00000003.2292406288.0000000008F8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eVMware20,11696428655
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,1169642865
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}-
Source: MPGPH131.exe, 00000009.00000003.2292406288.0000000008F8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,116HQ
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ra Change Transaction PasswordVMware20,11696428655
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o.inVMware20,11696428655~
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,116(
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: MPGPH131.exe	Binary or memory string: C0KOu1lA7guRD8jUl+YL/jV4e4s8Af3Yf0SL+EH9Nir8/I/6cgr8AuehgFsatiaOZiP5ud66KrfNQakFogGwqi01OGshxNLlXk75qdnYqEmja4bFX50KvIXsUhbKrnbOpHRo5rei0yg1qt3msWkBojOykFtdII2ep8Ti5TC6idfMCnds9Npph6Fqyu1pQe3o5O3p7yYZqcVUtG1R0ejStP9RHuhTF0KXntOn9xGOgHsABEhd4KFsN9MvtQZdJWYqjSF1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: MPGPH131.exe, 00000009.00000002.2589750462.00000000042EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}b9
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696428655
Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: comVMware20,11696428655o
Source: MPGPH131.exe, 0000000A.00000002.2607583034.00000000044DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_92579849T
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: MPGPH131.exe, 00000009.00000003.2440628791.0000000004371000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\*H9
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWQ
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: MPGPH131.exe, 00000009.00000003.2092896706.00000000042F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}v8
Source: ygm2mXUReY.exe, 00000000.00000002.2413282182.0000000004350000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000OD

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Code function: 0_2_004E2080 IsDebuggerPresent,IsProcessorFeaturePresent,GetVolumeInformationA,

0_2_004E2080

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Code function: 0_2_0045504E CreateThread,FindCloseChangeNotification,Sleep,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep,

0_2_0045504E

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045504E mov eax, dword ptr fs:[00000030h]	0_2_0045504E
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045504E mov ecx, dword ptr fs:[00000030h]	0_2_0045504E
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045A5C0 mov eax, dword ptr fs:[00000030h]	0_2_0045A5C0
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045A5C0 mov eax, dword ptr fs:[00000030h]	0_2_0045A5C0
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004DF790 mov ecx, dword ptr fs:[00000030h]	0_2_004DF790
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_00453C30 mov eax, dword ptr fs:[00000030h]	0_2_00453C30
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_00453C30 mov ecx, dword ptr fs:[00000030h]	0_2_00453C30

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Code function: 0_2_004FA050 GetProcessHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_004FA050

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Code function: 0_2_00453C30 Sleep,GetCurrentProcess,SetPriorityClass,SetUnhandledExceptionFilter,SetThreadExecutionState,SetThreadExecutionState,LoadLibraryA,GetModuleFileNameA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,LoadLibraryA,CreateThread,FindCloseChangeNotification,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,SetCurrentDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,CreateThread,CreateThread,CreateThread,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep,

0_2_00453C30

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Code function: 0_2_004DB860 GetModuleFileNameA,GetUserNameA,CopyFileA,CopyFileA,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,GetModuleFileNameA,CopyFileA,

0_2_004DB860

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Code function: 0_2_004479BE GetTimeZoneInformation,

0_2_004479BE

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: 00000000.00000002.2415576693.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2439521788.0000000008E04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2413282182.000000000435E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2608848110.0000000008E08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ygm2mXUReY.exe PID: 5504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 1672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 736, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\SZDEAvOWuc1j5blWLO4H6aA.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\dxTuy4jPkMDKvqGzbwvO8nc.zip, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets8b}
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: MPGPH131.exe, 00000009.00000003.2440628791.0000000004325000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*G
Source: ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\formhistory.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\places.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\signons.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.json	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Yara detected Credential Stealer

Source: Yara match	File source: 00000009.00000003.2440628791.0000000004371000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ygm2mXUReY.exe PID: 5504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 1672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 736, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 00000000.00000002.2415576693.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2439521788.0000000008E04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2413282182.000000000435E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2608848110.0000000008E08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ygm2mXUReY.exe PID: 5504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 1672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 736, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\SZDEAvOWuc1j5blWLO4H6aA.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\dxTuy4jPkMDKvqGzbwvO8nc.zip, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
147.45.47.93	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
172.67.75.166	db-ip.com	United States	13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
ipinfo.io	34.117.186.192	true
db-ip.com	172.67.75.166	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/widget/demo/81.181.57.52	false		high
https://db-ip.com/demo/home.php?s=81.181.57.52	false		high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ygm2mXUReY.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://193.233.132.167/cost/lenin.exe

URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe

Avira: detection malicious, Label: HEUR/AGEN.1313019

Multi AV Scanner detection for domain / URL

Source: http://193.233.132.167/cost/lenin.exeepro	Virustotal: Detection: 24%	Perma Link
Source: http://193.233.132.167/cost/go.exe	Virustotal: Detection: 24%	Perma Link
Source: http://193.233.132.167/cost/go.exeadka.ex	Virustotal: Detection: 24%	Perma Link
Source: http://193.233.132.167/cost/lenin.exe0	Virustotal: Detection: 23%	Perma Link
Source: http://147.45.47.102:57893/hera/amadka.exe	Virustotal: Detection: 18%	Perma Link
Source: http://147.45.47.102:57893/hera/amadka.exea	Virustotal: Detection: 15%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 36%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Virustotal: Detection: 39%	Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Virustotal: Detection: 39%	Perma Link

Multi AV Scanner detection for submitted file

Source: ygm2mXUReY.exe

Virustotal: Detection: 39%

Perma Link

Machine Learning detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: ygm2mXUReY.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Code function: 0_2_004D1240 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,

0_2_004D1240

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Unpacked PE file: 0.2.ygm2mXUReY.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 10.2.MPGPH131.exe.400000.0.unpack

Uses 32bit PE files

Source: ygm2mXUReY.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49725 version: TLS 1.2

Source:	Binary string: ]C:\wedigi\reciforeb\tetuguhuc\y.pdb source: ygm2mXUReY.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr
Source:	Binary string: C:\wedigi\reciforeb\tetuguhuc\y.pdb source: ygm2mXUReY.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004D0620 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	0_2_004D0620
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004F2870 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	0_2_004F2870
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0042C82B FindClose,FindFirstFileExW,GetLastError,	0_2_0042C82B

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ygm2mXUReY.exe_65396d3389e0d0bfd23059c0a7ad776d4579bbf9_66eab1d0_2bf57861-c4ef-4b8b-97e9-ae95bb3c92d5\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_1695d586fe6dcb3fc26aa419f17677af41dbbd72_05789ee0_782df4d4-a9ed-4ef0-9c2b-b94a67192a7b\

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49705 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49705
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49705
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49705 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49706
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49706
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49708
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49706 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49708 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49715
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49715 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49723
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49723
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49723 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2049661 ET TROJAN RisePro CnC Activity (Inbound) 192.168.2.5:49723 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046270 ET TROJAN [ANY.RUN] RisePro TCP (Exfiltration) 192.168.2.5:49723 -> 147.45.47.93:58709

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 147.45.47.93:58709

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 147.45.47.93 147.45.47.93
Source: Joe Sandbox View	IP Address: 172.67.75.166 172.67.75.166

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

May check the online IP address of the machine

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Code function: 0_2_004D3150 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,freeaddrinfo,WSACleanup,freeaddrinfo,

0_2_004D3150

Source: global traffic	HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown

DNS traffic detected: queries for: ipinfo.io

Source: ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe&
Source: MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeA
Source: MPGPH131.exe, 00000009.00000003.2442056915.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.0000000004371000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exea
Source: ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.167/cost/go.exe
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.167/cost/go.exe.52
Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.167/cost/go.exeadka.ex
Source: MPGPH131.exe, 00000009.00000003.2442056915.0000000004371000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.167/cost/go.exeate
Source: ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.167/cost/go.exeda1t
Source: ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.167/cost/lenin.exe
Source: MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.167/cost/lenin.exe0
Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.167/cost/lenin.exeepro
Source: ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.167/cost/lenin.exeoina
Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: ygm2mXUReY.exe, 00000000.00000002.2413162518.000000000427D000.00000040.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590308249.0000000004656000.00000040.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607833266.00000000046C3000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibD
Source: MPGPH131.exe, 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2178291011.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52?F
Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52U
Source: MPGPH131.exe, 00000009.00000003.2178291011.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/dx
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2178291011.0000000004326000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52
Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MPGPH131.exe, 0000000A.00000002.2607017449.000000000442E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.000000000445F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: ygm2mXUReY.exe, 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, ygm2mXUReY.exe, 00000000.00000003.2008770227.0000000006070000.00000004.00001000.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414862397.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590418032.0000000005FE0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2045834607.0000000006180000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2587702238.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2046639199.00000000060D0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2604776514.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Content-Type:
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043DC000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043DC000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043DD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.000000000446A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: MPGPH131.exe, 00000009.00000002.2589750462.00000000042C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/l
Source: ygm2mXUReY.exe, 00000000.00000002.2413282182.00000000043B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/rb
Source: ygm2mXUReY.exe, 00000000.00000002.2413282182.00000000043AD000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2413282182.00000000043D5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2589750462.00000000042DB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.000000000446A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.000000000443E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52
Source: ygm2mXUReY.exe, 00000000.00000002.2413282182.00000000043AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52=J
Source: MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52a9
Source: MPGPH131.exe, 0000000A.00000002.2607017449.000000000443E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52e
Source: ygm2mXUReY.exe, 00000000.00000002.2413282182.0000000004393000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/z=
Source: ygm2mXUReY.exe, 00000000.00000002.2413282182.00000000043D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52
Source: MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52(
Source: MPGPH131.exe, 0000000A.00000002.2607017449.000000000446A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52?
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: ygm2mXUReY.exe, 00000000.00000002.2415576693.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2413282182.000000000435E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2589750462.000000000428E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.00000000043F8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2439521788.0000000008E04000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2608848110.0000000008E08000.00000004.00000020.00020000.00000000.sdmp, SZDEAvOWuc1j5blWLO4H6aA.zip.0.dr, dxTuy4jPkMDKvqGzbwvO8nc.zip.10.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2439521788.0000000008E04000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2608848110.0000000008E08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTV
Source: MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTd
Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2608848110.0000000008E08000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.10.dr, passwords.txt.0.dr	String found in binary or memory: https://t.me/risepro_bot
Source: MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot-
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot6F
Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot9
Source: MPGPH131.exe, 00000009.00000003.2442547295.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004348000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botl
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botrisepro
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot~Fxt
Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: ygm2mXUReY.exe, 00000000.00000003.2214747133.0000000009032000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277749347.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2272506226.0000000008E37000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2266299894.0000000008E27000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2264083152.0000000008E25000.00000004.00000020.00020000.00000000.sdmp, NdZrHbm08IDPWeb Data.0.dr, 6XPTC_VuRvwAWeb Data.0.dr, 22YOafS9AuarWeb Data.0.dr, oqeZ8c0GMjOkWeb Data.10.dr, HiTDZbYl7tFjWeb Data.10.dr, 3aqhlGTkMf6CWeb Data.10.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: ygm2mXUReY.exe, 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, ygm2mXUReY.exe, 00000000.00000003.2008770227.0000000006070000.00000004.00001000.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414862397.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590418032.0000000005FE0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2045834607.0000000006180000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2587702238.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2046639199.00000000060D0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2604776514.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: ygm2mXUReY.exe, 00000000.00000003.2221967166.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: ygm2mXUReY.exe, 00000000.00000003.2220067370.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2214238152.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2224382558.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2212085169.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2214654072.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2219193682.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220945859.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220398763.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2221967166.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2210682091.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2217585171.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2223890985.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2294441713.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2274481125.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2280241970.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2275529201.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2289744340.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/N
Source: ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/n
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: ygm2mXUReY.exe, 00000000.00000003.2220067370.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2214238152.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2224382558.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2212085169.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2214654072.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2219193682.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220945859.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220398763.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2221967166.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2210682091.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2217585171.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2223890985.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2294441713.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2274481125.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2280241970.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2275529201.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2289744340.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: ygm2mXUReY.exe, 00000000.00000003.2217585171.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2212085169.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220067370.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2214654072.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2214238152.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2210682091.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2219193682.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2224382558.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2223890985.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220945859.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220398763.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2221967166.0000000008E19000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004371000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/6)
Source: MPGPH131.exe, 00000009.00000002.2590179683.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004371000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442940053.0000000004371000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/atata
Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/eG
Source: ygm2mXUReY.exe, 00000000.00000003.2220067370.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2214238152.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2224382558.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377717823.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2212085169.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2214654072.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2219193682.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2415674094.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220945859.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220398763.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2221967166.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2210682091.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2217585171.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2223890985.0000000008E23000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2294441713.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2274481125.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2280241970.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2275529201.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2289744340.0000000008E1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49725 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

0_2_004F2150

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2413162518.000000000427D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.2607833266.00000000046C3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000009.00000002.2590308249.0000000004656000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000009.00000002.2590418032.0000000005FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2414862397.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Detected potential crypto function

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045504E	0_2_0045504E
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045B010	0_2_0045B010
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0049D110	0_2_0049D110
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_005041A0	0_2_005041A0
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004091BF	0_2_004091BF
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0040D468	0_2_0040D468
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0040E58B	0_2_0040E58B
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004F6660	0_2_004F6660
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004CC610	0_2_004CC610
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004B36B0	0_2_004B36B0
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045A790	0_2_0045A790
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004DF790	0_2_004DF790
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004DB860	0_2_004DB860
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0043A8BD	0_2_0043A8BD
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_00506920	0_2_00506920
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_005209F0	0_2_005209F0
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0054B990	0_2_0054B990
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0040CA55	0_2_0040CA55
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_00453C30	0_2_00453C30
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_00506DD0	0_2_00506DD0
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0042A040	0_2_0042A040
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0044F050	0_2_0044F050
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_00409010	0_2_00409010
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004FC0A0	0_2_004FC0A0
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004FB0A0	0_2_004FB0A0
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_005040A0	0_2_005040A0
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_00510140	0_2_00510140
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_00553170	0_2_00553170

One or more processes crash

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 796

Sample file is different than original file name gathered from version info

Source: ygm2mXUReY.exe, 00000000.00000003.2023742197.00000000043B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFires( vs ygm2mXUReY.exe
Source: ygm2mXUReY.exe, 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs ygm2mXUReY.exe
Source: ygm2mXUReY.exe, 00000000.00000003.2023118340.00000000043AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFires( vs ygm2mXUReY.exe
Source: ygm2mXUReY.exe, 00000000.00000003.2008770227.0000000006070000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs ygm2mXUReY.exe
Source: ygm2mXUReY.exe, 00000000.00000000.2007505852.00000000040D8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFires( vs ygm2mXUReY.exe
Source: ygm2mXUReY.exe, 00000000.00000002.2414862397.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs ygm2mXUReY.exe
Source: ygm2mXUReY.exe	Binary or memory string: OriginalFilenameFires( vs ygm2mXUReY.exe

Uses 32bit PE files

Source: ygm2mXUReY.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2413162518.000000000427D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.2607833266.00000000046C3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000009.00000002.2590308249.0000000004656000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000009.00000002.2590418032.0000000005FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2414862397.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@24/114@2/3

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4268:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess736
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1672
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5504

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Jump to behavior

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Command line argument: 131	0_2_00453C30
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Command line argument: 131	0_2_00453C30
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Command line argument: Dk43l_dwmk438*	0_2_00453C30

Source: ygm2mXUReY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ygm2mXUReY.exe, 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, ygm2mXUReY.exe, 00000000.00000003.2008770227.0000000006070000.00000004.00001000.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414862397.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590418032.0000000005FE0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2045834607.0000000006180000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2587702238.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2046639199.00000000060D0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2604776514.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: ygm2mXUReY.exe, 00000000.00000002.2410994426.0000000000400000.00000040.00000001.01000000.00000003.sdmp, ygm2mXUReY.exe, 00000000.00000003.2008770227.0000000006070000.00000004.00001000.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414862397.0000000005ED0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590418032.0000000005FE0000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2045834607.0000000006180000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2587702238.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2046639199.00000000060D0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.2604776514.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.2607924286.0000000005F30000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: ygm2mXUReY.exe, 00000000.00000003.2212874316.000000000901F000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2211674747.0000000008E29000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2220253774.0000000009025000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2290422412.0000000008F8F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2290821951.0000000008E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2277951869.0000000008E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2275318920.0000000008E29000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.2263800079.0000000008DFF000.00000004.00000020.00020000.00000000.sdmp, TMHi1BjWgM9QLogin Data.0.dr, u7JVJIshcVUFLogin Data.10.dr, D_PqPMh3t76fLogin Data.0.dr, BvIYddkfIBauLogin Data.10.dr, MRFQeKpv_Q9HLogin Data For Account.10.dr, e1b5ormmlkNOLogin Data For Account.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: ygm2mXUReY.exe

Virustotal: Detection: 39%

Source: MPGPH131.exe	String found in binary or memory: ROvnJ6yzezSSPinQzhbMTdDO9znHdTFLV9oT2ILVkKv+VZz7xhndv5l59fQFVfnl4yeuSiVk+jiJVF0Mr52dH/adDcDoEL+0QvC82BBNvNfiDcOPzSbEn8KbKPFXmSz6flFNV+b2z0Z0nzAmDT941n65Rq3W6uUqPdzrn1rqo0ZhPNJhXpCbZX4iwhntgZ3otzlgZDLr9Rw4cWO50llt0fwf/3t/Dz/sxu8AwucBCw+oPWuv7MeffgtNZPWDfX7CNVSU
Source: MPGPH131.exe	String found in binary or memory: a13xzZPGcI8Ndq0kjBPDdM8VeCYp5RRM0+dYlJPh/ADd756Sj6Q6imTq57Sd6eekiPUU7JQT424emp4HFR+4gRT8o4EU/lhCaZMr2BK3bVgyhghLuqtpFxUWpFH1TBljBUZtSeGqeIIGabyB8cwBTUjVEs20rKyuHwHX6O548RE8iltT+VTZlg+tVd+qZNsjAr1Wwebo4o0Uqm7NVKZuzRSGXtgpNJUYaQSRqpJNFKNhTpKS0aI5UeXEIsQS6nDEkuZC
Source: MPGPH131.exe	String found in binary or memory: CQFb4t0QHeCl3stFpWt++XwLP/MB1MA8MCfvlo8tgxZb2z/3GAkbP/Aoj8OEQvBZ6fPFYMH8Vo6SnwfnNT1A862mvStouRTEPIi3saay3umbqcEKojMhF79SWNyjiKpYHVdq1e2Od4OTFHaXYmrA4aKVUmbiQ4n4+MZLmROvnJ6yzezSSPinQzhbMTdDO9znHdTFLV9oT2ILVkKv+VZz7xhndv5l59fQFVfnl4yeuSiVk+jiJVF0Mr52dH/adDcDoEL+
Source: MPGPH131.exe	String found in binary or memory: s39OjbOf7id1gtxPSPZYG1tuNmOm1S4/hgieOR9hhxoxnkhYpIRFSlikhEVq5BGiibJIaRQg0hgWqb/DtEj9qyFZpPQRtkjxCKKQXcqQ+2aIkrmn9L10T0VSRCPhnioIjEhgRAIjEhiRwIjGFyMaK/eUulv3FK6RznFPxa13xzZPGcI8Ndq0kjBPDdM8VeCYp5RRM0+dYlJPh/ADd756Sj6Q6imTq57Sd6eekiPUU7JQT424emp4HFR+4gRT8o4EU/lh
Source: MPGPH131.exe	String found in binary or memory: v+VZz7xhndv5l59fQFVfnl4yeuSiVk+jiJVF0Mr52dH/adDcDoEL+0QvC82BBNvNfiDcOPzSbEn8KbKPFXmSz6flFNV+b2z0Z0nzAmDT941n65Rq3W6uUqPdzrn1rqo0ZhPNJhXpCbZX4iwhntgZ3otzlgZDLr9Rw4cWO50llt0fwf/3t/Dz/sxu8AwucBCw+oPWuv7MeffgtNZPWDfX7CNVSU8C93PFaSKTCRGfOwVhvm6YJ8mui7JpEDwSkHwrycH0
Source: MPGPH131.exe	String found in binary or memory: S4/hgieOR9hhxoxnkhYpIRFSlikhEVq5BGiibJIaRQg0hgWqb/DtEj9qyFZpPQRtkjxCKKQXcqQ+2aIkrmn9L10T0VSRCPhnioIjEhgRAIjEhiRwIjGFyMaK/eUulv3FK6RznFPxa13xzZPGcI8Ndq0kjBPDdM8VeCYp5RRM0+dYlJPh/ADd756Sj6Q6imTq57Sd6eekiPUU7JQT424emp4HFR+4gRT8o4EU/lhCaZMr2BK3bVgyhghLuqtpFxUWpFH1

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

File read: C:\Users\user\Desktop\ygm2mXUReY.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ygm2mXUReY.exe "C:\Users\user\Desktop\ygm2mXUReY.exe"
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 796
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 952
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 984
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 992
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 1056
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 800
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 772
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 1380
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 896
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 1388
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 900
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 916
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 912
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 948
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 1100
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msimg32.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msvcr100.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: vaultcli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntmarta.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dpapi.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: ygm2mXUReY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ]C:\wedigi\reciforeb\tetuguhuc\y.pdb source: ygm2mXUReY.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr
Source:	Binary string: C:\wedigi\reciforeb\tetuguhuc\y.pdb source: ygm2mXUReY.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Unpacked PE file: 0.2.ygm2mXUReY.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 10.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Unpacked PE file: 0.2.ygm2mXUReY.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 10.2.MPGPH131.exe.400000.0.unpack

Drops PE files

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe			Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Evasive API call chain: GetPEB, DecisionNodes, Sleep

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,

0_2_0045A5C0

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\ygm2mXUReY.exe TID: 3192	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1856	Thread sleep count: 101 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1856	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4432	Thread sleep count: 101 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004D0620 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	0_2_004D0620
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004F2870 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	0_2_004F2870
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0042C82B FindClose,FindFirstFileExW,GetLastError,	0_2_0042C82B

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ygm2mXUReY.exe_65396d3389e0d0bfd23059c0a7ad776d4579bbf9_66eab1d0_2bf57861-c4ef-4b8b-97e9-ae95bb3c92d5\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_1695d586fe6dcb3fc26aa419f17677af41dbbd72_05789ee0_782df4d4-a9ed-4ef0-9c2b-b94a67192a7b\

Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWu
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: formVMware20,11696428655
Source: MPGPH131.exe, 00000009.00000003.2296684755.0000000008F93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,1169642865p
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ccount.microsoft.com/profileVMware20,11696428655u
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CT service, encrypted_token FROM token_servicerr global passwords blocklistVMware20,11696428655
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r global passwords blocklistVMware20,11696428655
Source: ygm2mXUReY.exe, 00000000.00000002.2415576693.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}gramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows8ZAAAA``I
Source: ygm2mXUReY.exe, 00000000.00000003.2378193179.0000000008E23000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_92579849:FTt_
Source: MPGPH131.exe, 00000009.00000003.2292406288.0000000008F8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,11696428655
Source: MPGPH131.exe, 0000000A.00000002.2607017449.00000000043F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: ygm2mXUReY.exe, 00000000.00000002.2413282182.0000000004350000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000IFIER=Intel64 Family 6 Model @
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: MPGPH131.exe, 00000009.00000003.2292406288.0000000008F8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CT name, value FROM autofillmain'.sqlite_masterr global passwords blocklistVMware20,11696428655
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\*
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: MPGPH131.exe	Binary or memory string: hgFsatiaOZiP5ud66KrfNQakFogGwqi01OGshxNLlXk75qdnYqEmja4bFX50KvIXsUhbKrnbOpHRo5rei0yg1qt3msWkBojOykFtdII2ep8Ti5TC6idfMCnds9Npph6Fqyu1pQe3o5O3p7yYZqcVUtG1R0ejStP9RHuhTF0KXntOn9xGOgHsABEhd4KFsN9MvtQZdJWYqjSF1BtshZUYEEghs8BkuMryRbq1kaSnMG0jvJhXLWSsyBzLkeFQZDuwCEck
Source: MPGPH131.exe	Binary or memory string: uehgFsatiaOZiP5ud66KrfNQakFogGwqi01OGshxNLlXk75qdnYqEmja4bFX50KvIXsUhbKrnbOpHRo5rei0yg1qt3msWkBojOykFtdII2ep8Ti5TC6idfMCnds9Npph6Fqyu1pQe3o5O3p7yYZqcVUtG1R0ejStP9RHuhTF0KXntOn9xGOgHsABEhd4KFsN9MvtQZdJWYqjSF1BtshZUYEEghs8BkuMryRbq1kaSnMG0jvJhXLWSsyBzLkeFQZDuwCE
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: MPGPH131.exe, 0000000A.00000003.2276920774.0000000008E2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PasswordVMware20,1169642
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: MPGPH131.exe, 0000000A.00000003.2089367371.0000000004458000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000009.00000003.2442940053.0000000004371000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_92579849m
Source: MPGPH131.exe, 00000009.00000003.2296684755.0000000008F93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,116
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: MPGPH131.exe, 00000009.00000003.2296684755.0000000008F93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428x
Source: ygm2mXUReY.exe, 00000000.00000003.2044956721.00000000043C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}P
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rootpagecomVMware20,11696428655o
Source: Amcache.hve.8.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pageformVMware20,11696428655
Source: MPGPH131.exe, 0000000A.00000003.2276920774.0000000008E2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: zure.comVMware20,1169642
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: MPGPH131.exe, 0000000A.00000002.2607583034.00000000044DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_92579849
Source: MPGPH131.exe, 0000000A.00000003.2276920774.0000000008E2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ansaction PasswordVMware6
Source: MPGPH131.exe, 00000009.00000003.2292406288.0000000008F8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696 T
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: MPGPH131.exe	Binary or memory string: ehgFsatiaOZiP5ud66KrfNQakFogGwqi01OGshxNLlXk75qdnYqEmja4bFX50KvIXsUhbKrnbOpHRo5rei0yg1qt3msWkBojOykFtdII2ep8Ti5TC6idfMCnds9Npph6Fqyu1pQe3o5O3p7yYZqcVUtG1R0ejStP9RHuhTF0KXntOn9xGOgHsABEhd4KFsN9MvtQZdJWYqjSF1BtshZUYEEghs8BkuMryRbq1kaSnMG0jvJhXLWSsyBzLkeFQZDuwCEc
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MPGPH131.exe, 00000009.00000003.2440628791.0000000004348000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}<
Source: ygm2mXUReY.exe, 00000000.00000002.2413282182.00000000043B1000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2589750462.00000000042DF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.0000000004325000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.2590179683.0000000004325000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MPGPH131.exe	Binary or memory string: CKQMC7RUN74ZnXXnXfhxjfIuiZlHWLOEZh7yU2OUXaC0KOu1lA7guRD8jUl+YL/jV4e4s8Af3Yf0SL+EH9Nir8/I/6cgr8AuehgFsatiaOZiP5ud66KrfNQakFogGwqi01OGshxNLlXk75qdnYqEmja4bFX50KvIXsUhbKrnbOpHRo5rei0yg1qt3msWkBojOykFtdII2ep8Ti5TC6idfMCnds9Npph6Fqyu1pQe3o5O3p7yYZqcVUtG1R0ejStP9RHu
Source: MPGPH131.exe, 00000009.00000002.2589750462.0000000004280000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&T9
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: MPGPH131.exe, 0000000A.00000003.2089367371.0000000004458000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000009.00000003.2292406288.0000000008F8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: eVMware20,11696428655
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,1169642865
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}-
Source: MPGPH131.exe, 00000009.00000003.2292406288.0000000008F8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,116HQ
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ra Change Transaction PasswordVMware20,11696428655
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o.inVMware20,11696428655~
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,116(
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: MPGPH131.exe	Binary or memory string: C0KOu1lA7guRD8jUl+YL/jV4e4s8Af3Yf0SL+EH9Nir8/I/6cgr8AuehgFsatiaOZiP5ud66KrfNQakFogGwqi01OGshxNLlXk75qdnYqEmja4bFX50KvIXsUhbKrnbOpHRo5rei0yg1qt3msWkBojOykFtdII2ep8Ti5TC6idfMCnds9Npph6Fqyu1pQe3o5O3p7yYZqcVUtG1R0ejStP9RHuhTF0KXntOn9xGOgHsABEhd4KFsN9MvtQZdJWYqjSF1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: MPGPH131.exe, 00000009.00000002.2589750462.00000000042EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}b9
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696428655
Source: MPGPH131.exe, 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: comVMware20,11696428655o
Source: MPGPH131.exe, 0000000A.00000002.2607583034.00000000044DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_92579849T
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: MPGPH131.exe, 00000009.00000003.2440628791.0000000004371000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\*H9
Source: FsARZr9gVanTWeb Data.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: MPGPH131.exe, 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2440628791.000000000430B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000002.2414484022.00000000043EE000.00000004.00000020.00020000.00000000.sdmp, ygm2mXUReY.exe, 00000000.00000003.2378552588.00000000043EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWQ
Source: MPGPH131.exe, 0000000A.00000003.2280109698.0000000008E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: MPGPH131.exe, 00000009.00000003.2092896706.00000000042F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}v8
Source: ygm2mXUReY.exe, 00000000.00000002.2413282182.0000000004350000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000OD

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Code function: 0_2_004E2080 IsDebuggerPresent,IsProcessorFeaturePresent,GetVolumeInformationA,

0_2_004E2080

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

0_2_0045504E

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045504E mov eax, dword ptr fs:[00000030h]	0_2_0045504E
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045504E mov ecx, dword ptr fs:[00000030h]	0_2_0045504E
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045A5C0 mov eax, dword ptr fs:[00000030h]	0_2_0045A5C0
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045A5C0 mov eax, dword ptr fs:[00000030h]	0_2_0045A5C0
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_0045578C mov eax, dword ptr fs:[00000030h]	0_2_0045578C
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_004DF790 mov ecx, dword ptr fs:[00000030h]	0_2_004DF790
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_00453C30 mov eax, dword ptr fs:[00000030h]	0_2_00453C30
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Code function: 0_2_00453C30 mov ecx, dword ptr fs:[00000030h]	0_2_00453C30

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Code function: 0_2_004FA050 GetProcessHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_004FA050

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

0_2_00453C30

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Code function: 0_2_004DB860 GetModuleFileNameA,GetUserNameA,CopyFileA,CopyFileA,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,GetModuleFileNameA,CopyFileA,

0_2_004DB860

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Code function: 0_2_004479BE GetTimeZoneInformation,

0_2_004479BE

Source: C:\Users\user\Desktop\ygm2mXUReY.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: 00000000.00000002.2415576693.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2439521788.0000000008E04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2413282182.000000000435E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2608848110.0000000008E08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ygm2mXUReY.exe PID: 5504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 1672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 736, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\SZDEAvOWuc1j5blWLO4H6aA.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\dxTuy4jPkMDKvqGzbwvO8nc.zip, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.00000000043EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets8b}
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: ygm2mXUReY.exe, 00000000.00000003.2377451245.0000000004444000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: MPGPH131.exe, 00000009.00000003.2440628791.0000000004325000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*G
Source: ygm2mXUReY.exe, 00000000.00000003.2377942278.0000000008E23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\formhistory.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\places.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\signons.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.json	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqlite	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\ygm2mXUReY.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\ygm2mXUReY.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Yara detected Credential Stealer

Source: Yara match	File source: 00000009.00000003.2440628791.0000000004371000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2607017449.0000000004477000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ygm2mXUReY.exe PID: 5504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 1672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 736, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 00000000.00000002.2415576693.0000000008DD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2590148325.000000000430C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2442547295.000000000430B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2439521788.0000000008E04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2442056915.000000000430B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2413282182.000000000435E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2441793106.000000000430B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2608848110.0000000008E08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ygm2mXUReY.exe PID: 5504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 1672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 736, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\SZDEAvOWuc1j5blWLO4H6aA.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\dxTuy4jPkMDKvqGzbwvO8nc.zip, type: DROPPED

Windows Analysis Report
ygm2mXUReY.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1429359
Product:	CloudBasic
Start time:	01:52:04
Start date:	22.04.2024
Sample:	ygm2mXUReY.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	d668244429e4a7a0b205b2ce843b9663
SHA1:	dd8aee62f445db5649840f9ffb8cb33d304254f3
SHA256:	ef09750219f549d293572aedb0f593ef6c4a74ac77bb99950ca8b5a91377ab89
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report ygm2mXUReY.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
ygm2mXUReY.exe