Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1431817
MD5: 6795efba98699a0cae3c4f729b83ace9
SHA1: a46482db507cf67307880919b85dc2187d2a2512
SHA256: 026387aa4411dac1107e403fb44fa90c5a34ec5ab0068af13e3f8f9f0b0f46cd
Tags: exe
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://193.233.132.167/cost/lenin.exe URL Reputation: Label: malware
Source: http://193.233.132.167/cost/go.exe Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/go.exe(i Avira URL Cloud: Label: malware
Source: http://147.45.47.102:57893/hera/amadka.exe Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/go.exedka.exe Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/lenin.exeegent Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/go.exeerver Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/lenin.exeerH_ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://193.233.132.167/cost/go.exe Virustotal: Detection: 24% Perma Link
Source: http://147.45.47.102:57893/hera/amadka.exe Virustotal: Detection: 18% Perma Link
Source: http://147.45.47.102:57893/hera/amadka.exeop Virustotal: Detection: 18% Perma Link
Source: http://193.233.132.167/cost/go.exedka.exe Virustotal: Detection: 25% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Virustotal: Detection: 39% Perma Link
Source: C:\ProgramData\MPGPH131\MPGPH131.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Virustotal: Detection: 39% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00863EB0 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree, 0_2_00863EB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00303EB0 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree, 6_2_00303EB0
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49738 version: TLS 1.2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0087D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0087D2B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00831A60 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree, 0_2_00831A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008633B0 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_008633B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00883B20 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_00883B20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007D1F8C FindClose,FindFirstFileExW,GetLastError, 0_2_007D1F8C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007D2012 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 0_2_007D2012
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008313F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_008313F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0031D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 6_2_0031D2B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_003033B0 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose, 6_2_003033B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002D1A60 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA, 6_2_002D1A60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00323B20 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 6_2_00323B20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00271F8C FindClose,FindFirstFileExW,GetLastError, 6_2_00271F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00272012 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 6_2_00272012
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002D13F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 6_2_002D13F0

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49705 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49705
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49705
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49708
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49709
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49708
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49705 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49708 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49714
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49714 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49724
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49724 -> 147.45.47.93:58709
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49705 -> 147.45.47.93:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 147.45.47.93 147.45.47.93
Source: Joe Sandbox View IP Address: 104.26.5.15 104.26.5.15
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /widget/demo/185.152.66.230 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=185.152.66.230 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/185.152.66.230 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/185.152.66.230 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=185.152.66.230 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=185.152.66.230 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/185.152.66.230 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=185.152.66.230 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/185.152.66.230 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=185.152.66.230 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00865940 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,FreeAddrInfoW,WSACleanup,FreeAddrInfoW, 0_2_00865940
Source: global traffic HTTP traffic detected: GET /widget/demo/185.152.66.230 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=185.152.66.230 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/185.152.66.230 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/185.152.66.230 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=185.152.66.230 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=185.152.66.230 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/185.152.66.230 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=185.152.66.230 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/185.152.66.230 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=185.152.66.230 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: db-ip.com
Source: file.exe, 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe&i
Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe42359
Source: file.exe, 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeop
Source: file.exe, 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exe
Source: MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exe(i
Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exedka.exe
Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exeerver
Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exe
Source: MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exeegent
Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exeerH_
Source: Amcache.hve.11.dr String found in binary or memory: http://upx.sf.net
Source: file.exe, 00000000.00000003.2033168714.0000000002E70000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2331180596.000000000039B000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2059493244.0000000001020000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2059966123.0000000000FA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2129853471.000000000039B000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000003.2138507545.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2430993688.0000000000F5B000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000003.2228346695.00000000016E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2531991205.0000000000F5B000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RageMP131.exe, 00000010.00000003.2455967104.00000000019EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: RageMP131.exe, 00000008.00000002.2431987171.000000000191E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000003.2455967104.0000000001A32000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.0000000001A32000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.00000000019E3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000003.2455967104.00000000019EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=185.152.66.230
Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=185.152.66.230Xl
Source: MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=185.152.66.230i
Source: file.exe, 00000000.00000002.2325278165.0000000001400000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2431987171.000000000191E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=185.152.66.230
Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=185.152.66.230.datapacket.com
Source: RageMP131.exe, 00000010.00000002.2533471546.00000000019E3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000003.2455967104.00000000019EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=185.152.66.230P
Source: file.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RageMP131.exe, 00000008.00000002.2431987171.000000000191E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2431987171.00000000018D3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.000000000198F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.00000000019E3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.00000000019CC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000003.2455967104.00000000019EB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001109000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/1
Source: RageMP131.exe, 00000010.00000002.2533471546.00000000019C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/6K
Source: file.exe, 00000000.00000002.2325278165.00000000013EF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2332544604.0000000001109000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2431987171.000000000191E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.00000000019CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: RageMP131.exe, 00000008.00000002.2431987171.00000000018D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/O
Source: file.exe, 00000000.00000003.2033168714.0000000002E70000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2331180596.000000000039B000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2059493244.0000000001020000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2059966123.0000000000FA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2129853471.000000000039B000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000003.2138507545.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2430993688.0000000000F5B000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000003.2228346695.00000000016E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2531991205.0000000000F5B000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 00000006.00000002.2332544604.00000000010D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/jM
Source: RageMP131.exe, 00000008.00000002.2431987171.000000000190F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/m
Source: RageMP131.exe, 00000010.00000002.2533471546.000000000198F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/s
Source: RageMP131.exe, 00000008.00000002.2431987171.00000000018EC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2431987171.0000000001915000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.00000000019CC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.00000000019AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/185.152.66.230
Source: RageMP131.exe, 00000010.00000002.2533471546.00000000019AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/185.152.66.230q
Source: file.exe, 00000000.00000002.2325278165.00000000013E6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2332544604.0000000001117000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.00000000019CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/185.152.66.230
Source: RageMP131.exe, 00000008.00000002.2431987171.0000000001915000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/185.152.66.230Qd
Source: D87fZN3R3jFeplaces.sqlite.7.dr String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.7.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.7.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: file.exe, 00000000.00000002.2326694552.0000000005DC4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2332544604.000000000109D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2333459442.00000000059B0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.0000000001087000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2431987171.000000000189E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.0000000001957000.00000004.00000020.00020000.00000000.sdmp, HCwgibNvhQ3gDx_DWG1aNau.zip.0.dr, 1YMX7UxRgh318S1TWXmjgUx.zip.6.dr String found in binary or memory: https://t.me/RiseProSUPPORT
Source: file.exe, 00000000.00000002.2325278165.000000000136E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT.tPVx
Source: RageMP131.exe, 00000010.00000002.2533471546.0000000001957000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT3
Source: RageMP131.exe, 00000008.00000002.2431987171.000000000191E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro
Source: RageMP131.exe, 00000010.00000002.2533471546.00000000019E3000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr, passwords.txt.6.dr String found in binary or memory: https://t.me/risepro_bot
Source: MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot6.230
Source: file.exe, 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot7
Source: RageMP131.exe, 00000008.00000002.2431987171.000000000191E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.00000000019E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: RageMP131.exe, 00000010.00000002.2533471546.00000000019E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botist
Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botlatere_(
Source: RageMP131.exe, 00000008.00000002.2431987171.000000000191E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botsA
Source: file.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.2111757556.0000000005E09000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106406140.0000000005E05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2141943768.0000000005A22000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2143543361.0000000005A23000.00000004.00000020.00020000.00000000.sdmp, FnKWlcBrreY1Web Data.6.dr, zeSJ9T1kwjwWWeb Data.6.dr, NwbTBYLMclw6Web Data.0.dr, Y9g_BlDmKPtZWeb Data.0.dr, tQzi7j4yFcLSWeb Data.6.dr, MQHnFYhPldB3Web Data.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: D87fZN3R3jFeplaces.sqlite.7.dr String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.7.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: D87fZN3R3jFeplaces.sqlite.7.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/-_p
Source: file.exe, 00000000.00000003.2105638601.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115039621.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2114472164.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2122244297.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129153195.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108669470.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115593739.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2116658566.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2114154245.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2104422097.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107373820.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2105396441.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108284720.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2117337036.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2110479328.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103676294.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106893933.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2117645844.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2326694552.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2118084133.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2333535211.00000000059F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/a
Source: D87fZN3R3jFeplaces.sqlite.7.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2105638601.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115039621.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2114472164.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2122244297.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129153195.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108669470.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115593739.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2116658566.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2114154245.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2104422097.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107373820.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2105396441.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108284720.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2117337036.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2110479328.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103676294.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106893933.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2117645844.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2326694552.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2118084133.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2333535211.00000000059F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/e
Source: file.exe, 00000000.00000003.2105638601.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115039621.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2114472164.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2122244297.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2129153195.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108669470.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115593739.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2116658566.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2114154245.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2104422097.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107373820.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2105396441.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108284720.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2117337036.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2110479328.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2103676294.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2106893933.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2117645844.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2326694552.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2118084133.0000000005DEC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2333535211.00000000059F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/irefox
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49738 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008833A0 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,73B574A0,DeleteObject,DeleteObject,ReleaseDC, 0_2_008833A0

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00898080 0_2_00898080
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008DC8D0 0_2_008DC8D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E001D 0_2_007E001D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007AB8E0 0_2_007AB8E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008749B0 0_2_008749B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008361D0 0_2_008361D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00838A80 0_2_00838A80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0087D2B0 0_2_0087D2B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00831A60 0_2_00831A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0087C3E0 0_2_0087C3E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0083CBF0 0_2_0083CBF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007F8BA0 0_2_007F8BA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00847D20 0_2_00847D20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0083AEC0 0_2_0083AEC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00833ED0 0_2_00833ED0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0087B7E0 0_2_0087B7E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0081F730 0_2_0081F730
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0082DF60 0_2_0082DF60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008E40A0 0_2_008E40A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008D20C0 0_2_008D20C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007DC950 0_2_007DC950
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007DA918 0_2_007DA918
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00822100 0_2_00822100
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00841130 0_2_00841130
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007D7190 0_2_007D7190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008E3160 0_2_008E3160
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008E4AE0 0_2_008E4AE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00884B90 0_2_00884B90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007E035F 0_2_007E035F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00830BA0 0_2_00830BA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00890350 0_2_00890350
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007CF570 0_2_007CF570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007F25FE 0_2_007F25FE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007F8E20 0_2_007F8E20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00841E40 0_2_00841E40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0088BFC0 0_2_0088BFC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0088CFC0 0_2_0088CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0028001D 6_2_0028001D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00338080 6_2_00338080
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002D61D0 6_2_002D61D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0031D2B0 6_2_0031D2B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0031C3E0 6_2_0031C3E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002BF730 6_2_002BF730
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0031B7E0 6_2_0031B7E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0024B8E0 6_2_0024B8E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0037C8D0 6_2_0037C8D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_003149B0 6_2_003149B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002D1A60 6_2_002D1A60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002D8A80 6_2_002D8A80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002DCBF0 6_2_002DCBF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002E7D20 6_2_002E7D20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002DAEC0 6_2_002DAEC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002D3ED0 6_2_002D3ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002CDF60 6_2_002CDF60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_003840A0 6_2_003840A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_003720C0 6_2_003720C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002E1130 6_2_002E1130
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002C2100 6_2_002C2100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00383160 6_2_00383160
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00277190 6_2_00277190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0037F280 6_2_0037F280
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00330350 6_2_00330350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0028035F 6_2_0028035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0026F570 6_2_0026F570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002947AD 6_2_002947AD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0027A918 6_2_0027A918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0027C950 6_2_0027C950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0028DA74 6_2_0028DA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00385A40 6_2_00385A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00384AE0 6_2_00384AE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00298BA0 6_2_00298BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002D0BA0 6_2_002D0BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00324B90 6_2_00324B90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0041FDB6 6_2_0041FDB6
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00298E20 6_2_00298E20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002E1E40 6_2_002E1E40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0032CFC0 6_2_0032CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0032BFC0 6_2_0032BFC0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 007BACE0 appears 86 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 0025ACE0 appears 86 times
One or more processes crash
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 1948
PE file contains more sections than normal
Source: RageMP131.exe.0.dr Static PE information: Number of sections : 12 > 10
Source: MPGPH131.exe.0.dr Static PE information: Number of sections : 12 > 10
Source: file.exe Static PE information: Number of sections : 12 > 10
Sample file is different than original file name gathered from version info
Source: file.exe Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000000.2029591798.000000000094A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe
Source: file.exe, 00000000.00000002.2323834373.0000000000927000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.999460876105108
Source: file.exe Static PE information: Section: ZLIB complexity 0.9960345643939394
Source: file.exe Static PE information: Section: ZLIB complexity 1.0023871527777777
Source: file.exe Static PE information: Section: ZLIB complexity 0.9898745888157895
Source: file.exe Static PE information: Section: .reloc ZLIB complexity 1.5
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.999460876105108
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9960345643939394
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 1.0023871527777777
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9898745888157895
Source: RageMP131.exe.0.dr Static PE information: Section: .reloc ZLIB complexity 1.5
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.999460876105108
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9960345643939394
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 1.0023871527777777
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9898745888157895
Source: MPGPH131.exe.0.dr Static PE information: Section: .reloc ZLIB complexity 1.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@13/58@2/3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0087D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0087D2B0
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3160
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5688
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1788:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000003.2033168714.0000000002E70000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2331180596.000000000039B000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2059493244.0000000001020000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2059966123.0000000000FA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2129853471.000000000039B000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000003.2138507545.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2430993688.0000000000F5B000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000003.2228346695.00000000016E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2531991205.0000000000F5B000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000003.2033168714.0000000002E70000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2323776358.00000000008FB000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2331180596.000000000039B000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2059493244.0000000001020000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2059966123.0000000000FA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2129853471.000000000039B000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000003.2138507545.00000000015D0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2430993688.0000000000F5B000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000003.2228346695.00000000016E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2531991205.0000000000F5B000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000003.2104608499.0000000005DF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2114472164.0000000005DE0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2142090491.00000000059FB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2148821408.0000000005A05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2140859397.00000000059FB000.00000004.00000020.00020000.00000000.sdmp, OhQNgUJ0X5NgLogin Data.0.dr, 7PzLqHtz21igLogin Data For Account.6.dr, zvXv7gzjmXYkLogin Data For Account.0.dr, S0Pov5vdwAn3Login Data.6.dr, sdYAsTf3586cLogin Data.0.dr, NMxkTlMy11FaLogin Data.6.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 1948
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1152
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: file.exe Static file information: File size 2270736 > 1048576
Source: file.exe Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x188600
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0086C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_0086C630
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .boot
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .vm_sec
Source: file.exe Static PE information: section name: .themida
Source: file.exe Static PE information: section name: .boot
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .vm_sec
Source: RageMP131.exe.0.dr Static PE information: section name: .themida
Source: RageMP131.exe.0.dr Static PE information: section name: .boot
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .vm_sec
Source: MPGPH131.exe.0.dr Static PE information: section name: .themida
Source: MPGPH131.exe.0.dr Static PE information: section name: .boot
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B39D2D push esi; mov dword ptr [esp], 0047292Eh 0_2_00C12F43
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B39D2D push ebp; mov dword ptr [esp], esi 0_2_00C12F57
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B39D2D push 21151430h; mov dword ptr [esp], ecx 0_2_00C12F6F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B39D2D push 224624E2h; mov dword ptr [esp], edi 0_2_00C12FF5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007D3F49 push ecx; ret 0_2_007D3F5C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005D9D2D push esi; mov dword ptr [esp], 0047292Eh 6_2_006B2F43
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005D9D2D push ebp; mov dword ptr [esp], esi 6_2_006B2F57
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005D9D2D push 21151430h; mov dword ptr [esp], ecx 6_2_006B2F6F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005D9D2D push 224624E2h; mov dword ptr [esp], edi 6_2_006B2FF5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00273F49 push ecx; ret 6_2_00273F5C
Source: file.exe Static PE information: section name: entropy: 7.999486852289058
Source: file.exe Static PE information: section name: .boot entropy: 7.949192596228493
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.999486852289058
Source: RageMP131.exe.0.dr Static PE information: section name: .boot entropy: 7.949192596228493
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.999486852289058
Source: MPGPH131.exe.0.dr Static PE information: section name: .boot entropy: 7.949192596228493
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Stalling execution: Execution stalls by calling Sleep
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\file.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\file.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evasive API chain (date check)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6624 Thread sleep count: 163 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4524 Thread sleep count: 85 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4524 Thread sleep count: 149 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\file.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0087D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0087D2B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00831A60 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree, 0_2_00831A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008633B0 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_008633B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00883B20 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_00883B20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007D1F8C FindClose,FindFirstFileExW,GetLastError, 0_2_007D1F8C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007D2012 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 0_2_007D2012
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008313F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_008313F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0031D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 6_2_0031D2B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_003033B0 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose, 6_2_003033B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002D1A60 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA, 6_2_002D1A60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00323B20 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 6_2_00323B20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00271F8C FindClose,FindFirstFileExW,GetLastError, 6_2_00271F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00272012 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 6_2_00272012
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002D13F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 6_2_002D13F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0087D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0087D2B0
Source: MPGPH131.exe, 00000006.00000002.2332544604.000000000116E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_C7C08627:
Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: formVMware20,11696428655
Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ccount.microsoft.com/profileVMware20,11696428655u
Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CT service, encrypted_token FROM token_servicerr global passwords blocklistVMware20,11696428655
Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBn
Source: MPGPH131.exe, 00000006.00000003.2149215743.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696
Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r global passwords blocklistVMware20,11696428655
Source: MPGPH131.exe, 00000006.00000003.2149215743.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware20,11696428655
Source: MPGPH131.exe, 00000007.00000002.2132463206.0000000001080000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: Amcache.hve.11.dr Binary or memory string: vmci.sys
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Amcache.hve.11.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: MPGPH131.exe, 00000006.00000003.2149215743.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CT name, value FROM autofillmain'.sqlite_masterr global passwords blocklistVMware20,11696428655
Source: Amcache.hve.11.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.11.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: RageMP131.exe, 00000008.00000002.2431987171.00000000018EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&"_
Source: RageMP131.exe, 00000008.00000003.2153200187.0000000001903000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}^
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual USB Mouse
Source: RageMP131.exe, 00000010.00000002.2533471546.00000000019B0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: discord.comVMware20,11696428655f
Source: RageMP131.exe, 00000010.00000002.2533471546.00000000019B2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000006.00000003.2149215743.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,116
Source: Amcache.hve.11.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: MPGPH131.exe, 00000006.00000002.2332544604.000000000116E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_C7C08627
Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Amcache.hve.11.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rootpagecomVMware20,11696428655o
Source: Amcache.hve.11.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.11.dr Binary or memory string: vmci.syshbin`
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.11.dr Binary or memory string: \driver\vmci,\driver\pci
Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pageformVMware20,11696428655
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: MPGPH131.exe, 00000006.00000003.2149215743.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428H
Source: Amcache.hve.11.dr Binary or memory string: VMware
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.11.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: file.exe, 00000000.00000002.2325278165.0000000001400000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2325278165.00000000013BB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2332544604.00000000010EB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010D4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2132463206.00000000010FC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2431987171.00000000018EC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2431987171.000000000191E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.2533471546.00000000019E3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000003.2455967104.00000000019EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: MPGPH131.exe, 00000006.00000003.2153261936.000000000117C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}lfons\AppData\Local\NVIDIA Corporation\NVIDIA GeForce Experience\*
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: RageMP131.exe, 00000010.00000003.2256184432.00000000019B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000006.00000003.2149215743.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: eVMware20,11696428655
Source: Amcache.hve.11.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,1169642865
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,116968
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.11.dr Binary or memory string: VMware20,1
Source: file.exe, 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\Profiles\v6zchhhv.default-release\signons.sqlite.nl,n.[
Source: Amcache.hve.11.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.11.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ra Change Transaction PasswordVMware20,11696428655
Source: Amcache.hve.11.dr Binary or memory string: VMware VMCI Bus Device
Source: MPGPH131.exe, 00000006.00000003.2149342197.0000000005A18000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .bankofamerica.comVMware20,11696
Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: o.inVMware20,11696428655~
Source: file.exe, 00000000.00000002.2325845259.000000000145A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}W?
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.11.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: RageMP131.exe, 00000010.00000002.2533471546.0000000001950000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: Amcache.hve.11.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.11.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.11.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.11.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.11.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: comVMware20,11696428655o
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.11.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: XQcivVrU5A5HWeb Data.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.11.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tive Brokers - non-EU EuropeVMware20,11696428655
Source: file.exe, 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}y,h.uy,i.uy,j.uy,k.uy,l.uy,m.uy,n.uy,o.uy,p.uy,q.uy,r.uy,s.uy,t.uy,u.uy,v.uy,w.uy,x.uy,y.uy,z.uy,a
Source: file.exe, 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}gramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows8ZAAAA``/
Source: Amcache.hve.11.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: MPGPH131.exe, 00000006.00000003.2149215743.0000000005A0D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,1169642865@
Source: file.exe, 00000000.00000002.2325278165.0000000001400000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: RageMP131.exe, 00000010.00000002.2533471546.00000000019E3000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000003.2455967104.00000000019EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW>
Source: MPGPH131.exe, 00000006.00000003.2151353310.0000000005A1D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,116`
Source: RageMP131.exe, 00000010.00000002.2533471546.000000000199F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007D8A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_007D8A54
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0086C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_0086C630
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00864130 mov eax, dword ptr fs:[00000030h] 0_2_00864130
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00831A60 mov eax, dword ptr fs:[00000030h] 0_2_00831A60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00304130 mov eax, dword ptr fs:[00000030h] 6_2_00304130
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_002D1A60 mov eax, dword ptr fs:[00000030h] 6_2_002D1A60
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00886E20 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree, 0_2_00886E20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007D8A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_007D8A54
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007D450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_007D450D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0027450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_0027450D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00278A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00278A54

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0086C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_0086C630
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0030C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 6_2_0030C630
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0087D2B0
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_007F31B8
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_007EB1A3
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_007F32E1
Source: C:\Users\user\Desktop\file.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_007F2B48
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_007F33E7
Source: C:\Users\user\Desktop\file.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_007F34BD
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_007F2D4D
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_007F2DF4
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_007F2E3F
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_007F2EDA
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_007F2F65
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_007EB726
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 6_2_0031D2B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 6_2_0028B1A3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 6_2_002931B8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 6_2_002932E1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 6_2_002933E7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 6_2_002934BD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 6_2_0028B726
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 6_2_00292B48
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 6_2_00292D4D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 6_2_00292DF4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 6_2_00292E3F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 6_2_00292EDA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 6_2_00292F65
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0087D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0087D2B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0087D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0087D2B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0087D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0087D2B0
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.11.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000000.00000002.2326694552.0000000005DC4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2333459442.00000000059B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5688, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 3160, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 1896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 6984, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\HCwgibNvhQ3gDx_DWG1aNau.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1YMX7UxRgh318S1TWXmjgUx.zip, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000003.2161978474.0000000001458000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\walletsni
Source: file.exe, 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: file.exe, 00000000.00000003.2161978474.0000000001458000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxxs
Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: file.exe, 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: file.exe, 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: file.exe, 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: file.exe, 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: file.exe, 00000000.00000002.2325278165.0000000001400000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: MPGPH131.exe, 00000006.00000002.2332544604.0000000001123000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: file.exe, 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live$
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\formhistory.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\places.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\signons.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.json Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.2325278165.0000000001423000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5688, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 3160, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000000.00000002.2326694552.0000000005DC4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2326694552.0000000005D90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2333459442.00000000059B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5688, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 3160, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 1896, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 6984, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\HCwgibNvhQ3gDx_DWG1aNau.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1YMX7UxRgh318S1TWXmjgUx.zip, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431817 Sample: file.exe Startdate: 25/04/2024 Architecture: WINDOWS Score: 100 39 ipinfo.io 2->39 41 db-ip.com 2->41 49 Snort IDS alert for network traffic 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Antivirus detection for URL or domain 2->53 55 4 other signatures 2->55 8 file.exe 1 63 2->8         started        13 MPGPH131.exe 5 55 2->13         started        15 MPGPH131.exe 7 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 43 147.45.47.93, 49705, 49708, 49709 FREE-NET-ASFREEnetEU Russian Federation 8->43 45 ipinfo.io 34.117.186.192, 443, 49706, 49710 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->45 47 db-ip.com 104.26.5.15, 443, 49707, 49712 CLOUDFLARENETUS United States 8->47 31 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->31 dropped 33 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->33 dropped 35 C:\Users\user\...\HCwgibNvhQ3gDx_DWG1aNau.zip, Zip 8->35 dropped 57 Query firmware table information (likely to detect VMs) 8->57 59 Tries to steal Mail credentials (via file / registry access) 8->59 61 Found many strings related to Crypto-Wallets (likely being stolen) 8->61 73 2 other signatures 8->73 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        23 WerFault.exe 8->23         started        37 C:\Users\user\...\1YMX7UxRgh318S1TWXmjgUx.zip, Zip 13->37 dropped 63 Multi AV Scanner detection for dropped file 13->63 65 Machine Learning detection for dropped file 13->65 67 Found stalling execution ending in API Sleep call 13->67 25 WerFault.exe 13->25         started        69 Tries to harvest and steal browser information (history, passwords, etc) 15->69 71 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->71 file6 signatures7 process8 process9 27 conhost.exe 19->27         started        29 conhost.exe 21->29         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
147.45.47.93
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
104.26.5.15
 db-ip.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
db-ip.com 104.26.5.15 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ipinfo.io/widget/demo/185.152.66.230 false
    		high
    https://db-ip.com/demo/home.php?s=185.152.66.230 false
      		high