Edit tour

Windows Analysis Report
AlCsIOd0pd.exe

Overview

General Information

Sample name:	AlCsIOd0pd.exe renamed because original name is a hash value
Original sample name:	de584dd4970a8099454611ee0c739ea8.exe
Analysis ID:	1460268
MD5:	de584dd4970a8099454611ee0c739ea8
SHA1:	f22fe3bfb22b55d1f0dc2fd802a32d2beb157e0b
SHA256:	d0eff53cfd30f061451987b4e98205d81f9495e8f26def46aec15f7a4c171c20
Tags:	exeRiseProStealer
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected RisePro Stealer

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject threads in other processes

Found stalling execution ending in API Sleep call

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to evade debugger and weak emulator (self modifying code)

Uses schtasks.exe or at.exe to add and modify task schedules

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

AlCsIOd0pd.exe (PID: 4852 cmdline: "C:\Users\user\Desktop\AlCsIOd0pd.exe" MD5: DE584DD4970A8099454611EE0C739EA8)

schtasks.exe (PID: 1900 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2004 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MPGPH131.exe (PID: 5644 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: DE584DD4970A8099454611EE0C739EA8)

MPGPH131.exe (PID: 5740 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: DE584DD4970A8099454611EE0C739EA8)

RageMP131.exe (PID: 3720 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: DE584DD4970A8099454611EE0C739EA8)

RageMP131.exe (PID: 4460 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: DE584DD4970A8099454611EE0C739EA8)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: AlCsIOd0pd.exe PID: 4852	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 5644	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 5740	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 3720	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 4460	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\AlCsIOd0pd.exe, ProcessId: 4852, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Snort Signatures

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/20/24-18:18:46.029864
SID:	2046269
Source Port:	49741
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/20/24-18:16:18.111786
SID:	2049060
Source Port:	49731
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/20/24-18:18:43.639253
SID:	2046269
Source Port:	49732
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/20/24-18:18:46.029916
SID:	2046269
Source Port:	49735
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/20/24-18:18:45.967425
SID:	2046269
Source Port:	49731
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/20/24-18:16:22.687972
SID:	2046266
Source Port:	58709
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/20/24-18:16:40.743118
SID:	2046266
Source Port:	58709
Destination Port:	49741
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/20/24-18:16:18.693887
SID:	2046266
Source Port:	58709
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/20/24-18:16:22.714525
SID:	2046266
Source Port:	58709
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/20/24-18:18:43.701803
SID:	2046269
Source Port:	49733
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/20/24-18:16:34.458767
SID:	2046266
Source Port:	58709
Destination Port:	49735
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: AlCsIOd0pd.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: AlCsIOd0pd.exe

Joe Sandbox ML: detected

Source: AlCsIOd0pd.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,	0_2_00431F9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00431F9C FindClose,FindFirstFileExW,GetLastError,	5_2_00431F9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00431F9C FindClose,FindFirstFileExW,GetLastError,	6_2_00431F9C

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49731 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49731
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49731 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49732
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49733
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49732 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49733 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49735
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49735 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49741
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49741 -> 77.91.77.66:58709

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 77.91.77.66 ports 0,5,7,8,58709,9

Source: global traffic

TCP traffic: 192.168.2.4:49731 -> 77.91.77.66:58709

Source: Joe Sandbox View

IP Address: 77.91.77.66 77.91.77.66

Source: Joe Sandbox View

ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU

Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe

Code function: 0_2_00409280 recv,GetProcAddress,GetModuleHandleA,GetProcAddress,WSASend,

0_2_00409280

Source: AlCsIOd0pd.exe, 00000000.00000003.1748570602.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, AlCsIOd0pd.exe, 00000000.00000002.3251443342.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1783897542.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3252220820.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.3251589290.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1784572733.0000000002850000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.3251444322.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1896625468.0000000002850000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.1976471958.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3251481803.000000000055D000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: MPGPH131.exe	String found in binary or memory: https://ipinfo.io/
Source: AlCsIOd0pd.exe, 00000000.00000003.1748570602.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, AlCsIOd0pd.exe, 00000000.00000002.3251443342.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1783897542.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3252220820.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.3251589290.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1784572733.0000000002850000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.3251444322.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1896625468.0000000002850000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.1976471958.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3251481803.000000000055D000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: AlCsIOd0pd.exe, 00000000.00000002.3253969387.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3255069543.0000000000CED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3253912060.0000000000C37000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.3253787477.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3253822490.0000000000E38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: AlCsIOd0pd.exe, 00000000.00000002.3253969387.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTB
Source: RageMP131.exe, 00000007.00000002.3253787477.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTX
Source: MPGPH131.exe, 00000006.00000002.3253912060.0000000000C37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORToE
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

System Summary

PE file contains section with special chars

Source: AlCsIOd0pd.exe	Static PE information: section name:
Source: AlCsIOd0pd.exe	Static PE information: section name:
Source: AlCsIOd0pd.exe	Static PE information: section name:
Source: AlCsIOd0pd.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: 0_2_0043C960	0_2_0043C960
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: 0_2_0043A928	0_2_0043A928
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: 0_2_004371A0	0_2_004371A0
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: 0_2_0044DA86	0_2_0044DA86
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: 0_2_0044036F	0_2_0044036F
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: 0_2_00458BB0	0_2_00458BB0
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: 0_2_004EFC40	0_2_004EFC40
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: 0_2_0042F580	0_2_0042F580
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: 0_2_00452610	0_2_00452610
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: 0_2_004F2FD0	0_2_004F2FD0
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: 0_2_004547BF	0_2_004547BF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0043C960	5_2_0043C960
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0043A928	5_2_0043A928
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_004371A0	5_2_004371A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0044DA86	5_2_0044DA86
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0044036F	5_2_0044036F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00458BB0	5_2_00458BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_004EFC40	5_2_004EFC40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0042F580	5_2_0042F580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00452610	5_2_00452610
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_004F2FD0	5_2_004F2FD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_004547BF	5_2_004547BF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0043C960	6_2_0043C960
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0043A928	6_2_0043A928
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_004371A0	6_2_004371A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0044DA86	6_2_0044DA86
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0044036F	6_2_0044036F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00458BB0	6_2_00458BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_004EFC40	6_2_004EFC40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0042F580	6_2_0042F580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00452610	6_2_00452610
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_004F2FD0	6_2_004F2FD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_004547BF	6_2_004547BF

Source: C:\ProgramData\MPGPH131\MPGPH131.exe

Code function: String function: 00434380 appears 48 times

Source: AlCsIOd0pd.exe	Binary or memory string: OriginalFilename vs AlCsIOd0pd.exe
Source: AlCsIOd0pd.exe, 00000000.00000002.3251516517.000000000058A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedotnet.exe6 vs AlCsIOd0pd.exe
Source: AlCsIOd0pd.exe, 00000000.00000000.1745421628.000000000058A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedotnet.exe6 vs AlCsIOd0pd.exe
Source: AlCsIOd0pd.exe	Binary or memory string: OriginalFilenamedotnet.exe6 vs AlCsIOd0pd.exe

Source: AlCsIOd0pd.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: AlCsIOd0pd.exe	Static PE information: Section: ZLIB complexity 0.9988486351431981
Source: AlCsIOd0pd.exe	Static PE information: Section: ZLIB complexity 0.9942874765037594
Source: AlCsIOd0pd.exe	Static PE information: Section: ZLIB complexity 0.98974609375
Source: AlCsIOd0pd.exe	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9988486351431981
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9942874765037594
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.98974609375
Source: RageMP131.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9988486351431981
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9942874765037594
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.98974609375
Source: MPGPH131.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/5@0/1

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_03

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Jump to behavior

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: AlCsIOd0pd.exe, 00000000.00000003.1748570602.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, AlCsIOd0pd.exe, 00000000.00000002.3251443342.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1783897542.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3252220820.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.3251589290.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1784572733.0000000002850000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.3251444322.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1896625468.0000000002850000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.1976471958.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3251481803.000000000055D000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: AlCsIOd0pd.exe, 00000000.00000003.1748570602.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, AlCsIOd0pd.exe, 00000000.00000002.3251443342.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1783897542.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3252220820.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.3251589290.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1784572733.0000000002850000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.3251444322.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1896625468.0000000002850000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.1976471958.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3251481803.000000000055D000.00000002.00000001.01000000.00000005.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: AlCsIOd0pd.exe

ReversingLabs: Detection: 63%

Source: AlCsIOd0pd.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe

File read: C:\Users\user\Desktop\AlCsIOd0pd.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\AlCsIOd0pd.exe "C:\Users\user\Desktop\AlCsIOd0pd.exe"
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior

Source: AlCsIOd0pd.exe

Static file information: File size 3259920 > 1048576

Source: AlCsIOd0pd.exe

Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x264600

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe

Code function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,

0_2_004CF280

Source: initial sample

Static PE information: section where entry point is pointing to: .boot

Source: AlCsIOd0pd.exe	Static PE information: section name:
Source: AlCsIOd0pd.exe	Static PE information: section name:
Source: AlCsIOd0pd.exe	Static PE information: section name:
Source: AlCsIOd0pd.exe	Static PE information: section name:
Source: AlCsIOd0pd.exe	Static PE information: section name: .themida
Source: AlCsIOd0pd.exe	Static PE information: section name: .boot
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .themida
Source: RageMP131.exe.0.dr	Static PE information: section name: .boot
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .themida
Source: MPGPH131.exe.0.dr	Static PE information: section name: .boot

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: 0_2_00598B86 push 677583F0h; mov dword ptr [esp], ecx	0_2_00873ADB
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: 0_2_00598B86 push edx; mov dword ptr [esp], 7E9A49CCh	0_2_00873B0A
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: 0_2_00598B86 push 0EDD01E1h; mov dword ptr [esp], ecx	0_2_00873B1D
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: 0_2_00433F59 push ecx; ret	0_2_00433F6C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00598B86 push 677583F0h; mov dword ptr [esp], ecx	5_2_00873ADB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00598B86 push edx; mov dword ptr [esp], 7E9A49CCh	5_2_00873B0A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00598B86 push 0EDD01E1h; mov dword ptr [esp], ecx	5_2_00873B1D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00433F59 push ecx; ret	5_2_00433F6C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00598B86 push 677583F0h; mov dword ptr [esp], ecx	6_2_00873ADB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00598B86 push edx; mov dword ptr [esp], 7E9A49CCh	6_2_00873B0A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00598B86 push 0EDD01E1h; mov dword ptr [esp], ecx	6_2_00873B1D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00433F59 push ecx; ret	6_2_00433F6C

Source: AlCsIOd0pd.exe	Static PE information: section name: entropy: 7.980197821543003
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.980197821543003
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.980197821543003

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Stalling execution: Execution stalls by calling Sleep			graph_0-13659
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Stalling execution: Execution stalls by calling Sleep			graph_5-13659

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	System information queried: FirmwareTableInformation	Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Special instruction interceptor: First address: 625E3C instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 625E3C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 625E3C instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Window / User API: threadDelayed 3495	Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Window / User API: threadDelayed 6379	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 9806	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 9807	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 9782	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 9885	Jump to behavior

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)			graph_5-13659
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)			graph_0-13659

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-16262
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_5-16262

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe TID: 3084	Thread sleep count: 3495 > 30	Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe TID: 3084	Thread sleep time: -352995s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe TID: 3084	Thread sleep count: 6379 > 30	Jump to behavior
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe TID: 3084	Thread sleep time: -644279s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1376	Thread sleep count: 78 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1376	Thread sleep count: 9806 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1376	Thread sleep time: -990406s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5436	Thread sleep count: 74 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5436	Thread sleep count: 9807 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5436	Thread sleep time: -990507s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1896	Thread sleep count: 101 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1896	Thread sleep count: 9782 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1896	Thread sleep time: -987982s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4520	Thread sleep count: 9885 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4520	Thread sleep time: -998385s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,	0_2_00431F9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00431F9C FindClose,FindFirstFileExW,GetLastError,	5_2_00431F9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00431F9C FindClose,FindFirstFileExW,GetLastError,	6_2_00431F9C

Source: AlCsIOd0pd.exe, 00000000.00000003.1768008425.0000000000D81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\|
Source: AlCsIOd0pd.exe, 00000000.00000002.3253969387.0000000000D81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}i
Source: RageMP131.exe, 0000000B.00000002.3253822490.0000000000E30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: MPGPH131.exe, 00000006.00000002.3253912060.0000000000C7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: MPGPH131.exe, 00000005.00000002.3255069543.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@_
Source: MPGPH131.exe, 00000006.00000002.3253912060.0000000000C7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}M81
Source: AlCsIOd0pd.exe, 00000000.00000002.3253969387.0000000000D6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}-K
Source: RageMP131.exe, 0000000B.00000003.1988485374.0000000000E97000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000005.00000002.3255069543.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&m
Source: AlCsIOd0pd.exe, 00000000.00000003.1768008425.0000000000D81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}]
Source: RageMP131.exe, 00000007.00000002.3253787477.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__orpo
Source: MPGPH131.exe, 00000005.00000002.3255069543.0000000000CED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}t #7NVD slot #7
Source: AlCsIOd0pd.exe, 00000000.00000002.3253969387.0000000000D6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000%
Source: RageMP131.exe, 00000007.00000002.3253787477.0000000000D8F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: MPGPH131.exe, 00000006.00000002.3253912060.0000000000C56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}>jD
Source: RageMP131.exe, 00000007.00000002.3253787477.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}yj
Source: AlCsIOd0pd.exe, 00000000.00000002.3253969387.0000000000D3F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_BEB2C06B
Source: MPGPH131.exe, 00000005.00000003.1808009410.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}O
Source: RageMP131.exe, 0000000B.00000003.1988485374.0000000000E97000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 0000000B.00000002.3253822490.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
Source: AlCsIOd0pd.exe, 00000000.00000002.3253969387.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}NVD slot #44NVD slot #44
Source: AlCsIOd0pd.exe, 00000000.00000002.3253969387.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} slot #34
Source: AlCsIOd0pd.exe, 00000000.00000002.3253969387.0000000000D6A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3255069543.0000000000D3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe

Code function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00438A64

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe

0_2_004CF280

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00438A64
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: 0_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0043451D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00438A64
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0043451D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00438A64
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_0043451D

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,	0_2_004CF280
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,	5_2_004CF280
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,	6_2_004CF280

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: GetLocaleInfoW,	0_2_004531CA
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: EnumSystemLocalesW,	0_2_0044B1B1
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_004532F3
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00452B5A
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: GetLocaleInfoW,	0_2_004533F9
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_004534CF
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: GetLocaleInfoW,	0_2_00452D5F
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: EnumSystemLocalesW,	0_2_00452E51
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: EnumSystemLocalesW,	0_2_00452E06
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: EnumSystemLocalesW,	0_2_00452EEC
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00452F77
Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Code function: GetLocaleInfoW,	0_2_0044B734
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	5_2_004531CA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	5_2_0044B1B1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_004532F3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	5_2_00452B5A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	5_2_004533F9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_004534CF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	5_2_00452D5F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	5_2_00452E51
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	5_2_00452E06
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	5_2_00452EEC
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	5_2_00452F77
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	5_2_0044B734
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	6_2_004531CA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	6_2_0044B1B1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_004532F3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	6_2_00452B5A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	6_2_004533F9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_004534CF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	6_2_00452D5F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	6_2_00452E51
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	6_2_00452E06
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	6_2_00452EEC
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_00452F77
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	6_2_0044B734

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe

Code function: 0_2_0043361D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_0043361D

Source: C:\Users\user\Desktop\AlCsIOd0pd.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: Process Memory Space: AlCsIOd0pd.exe PID: 4852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 5644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 5740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 3720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 4460, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: Process Memory Space: AlCsIOd0pd.exe PID: 4852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 5644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 5740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 3720, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 4460, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	12 Virtualization/Sandbox Evasion	LSASS Memory	421 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Native API	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	11 Process Injection	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	123 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
AlCsIOd0pd.exe	63%	ReversingLabs	Win32.Trojan.RiseProStealer
AlCsIOd0pd.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	63%	ReversingLabs	Win32.Trojan.RiseProStealer
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	63%	ReversingLabs	Win32.Trojan.RiseProStealer

Source	Detection	Scanner	Label
https://ipinfo.io/	0%	URL Reputation	safe
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe
http://www.winimage.com/zLibDll	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORTX	0%	Avira URL Cloud	safe
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Avira URL Cloud	safe
https://www.maxmind.com/en/locate-my-ip-address	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORTB	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORToE	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	AlCsIOd0pd.exe, 00000000.00000003.1748570602.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, AlCsIOd0pd.exe, 00000000.00000002.3251443342.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1783897542.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3252220820.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.3251589290.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1784572733.0000000002850000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.3251444322.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1896625468.0000000002850000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.1976471958.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3251481803.000000000055D000.00000002.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORTX	RageMP131.exe, 00000007.00000002.3253787477.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll	AlCsIOd0pd.exe, 00000000.00000003.1748570602.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, AlCsIOd0pd.exe, 00000000.00000002.3251443342.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1783897542.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3252220820.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.3251589290.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1784572733.0000000002850000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.3251444322.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1896625468.0000000002850000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.1976471958.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3251481803.000000000055D000.00000002.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORT	AlCsIOd0pd.exe, 00000000.00000002.3253969387.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3255069543.0000000000CED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3253912060.0000000000C37000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.3253787477.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3253822490.0000000000E38000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/	MPGPH131.exe	false	URL Reputation: safe	unknown
https://t.me/RiseProSUPPORTB	AlCsIOd0pd.exe, 00000000.00000002.3253969387.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORToE	MPGPH131.exe, 00000006.00000002.3253912060.0000000000C37000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.maxmind.com/en/locate-my-ip-address	MPGPH131.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
77.91.77.66	unknown	Russian Federation		42861	FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1460268
Start date and time:	2024-06-20 18:15:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	AlCsIOd0pd.exe renamed because original name is a hash value
Original Sample Name:	de584dd4970a8099454611ee0c739ea8.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
VT rate limit hit for: AlCsIOd0pd.exe

Simulations

Behavior and APIs

Time	Type	Description
12:16:49	API Interceptor	331415x Sleep call for process: AlCsIOd0pd.exe modified
12:16:53	API Interceptor	593250x Sleep call for process: MPGPH131.exe modified
12:17:05	API Interceptor	410683x Sleep call for process: RageMP131.exe modified
17:16:18	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
17:16:18	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
17:16:21	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
17:16:29	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
77.91.77.66	setup.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	D44CPdpkNk.exe	Get hash	malicious	RisePro Stealer	Browse
	WGEfBWbWQI.exe	Get hash	malicious	RisePro Stealer	Browse
	2bT2lTwRku.exe	Get hash	malicious	RisePro Stealer	Browse
	T17sbXrL3i.exe	Get hash	malicious	RisePro Stealer	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	setup.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	77.91.77.81
	setup.exe	Get hash	malicious	Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	77.91.77.81
	FN MultiHack v2.exe	Get hash	malicious	RedLine	Browse	77.91.77.6
	D44CPdpkNk.exe	Get hash	malicious	RisePro Stealer	Browse	77.91.77.66
	https://drive.google.com/file/d/1SCCeBL3Md8Sct7wQF5bfbtLysFqXCW6y/view?ts=667387ac	Get hash	malicious	Unknown	Browse	77.91.77.5
	https://drive.google.com/file/d/1SCCeBL3Md8Sct7wQF5bfbtLysFqXCW6y/view?ts=667387ac	Get hash	malicious	Unknown	Browse	77.91.77.5
	WGEfBWbWQI.exe	Get hash	malicious	RisePro Stealer	Browse	77.91.77.66
	2bT2lTwRku.exe	Get hash	malicious	RisePro Stealer	Browse	77.91.77.66
	T17sbXrL3i.exe	Get hash	malicious	RisePro Stealer	Browse	77.91.77.66
	2022and2023TaxDocuments.zip	Get hash	malicious	Remcos	Browse	77.91.77.107

Process:	C:\Users\user\Desktop\AlCsIOd0pd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3259920
Entropy (8bit):	7.966792574709497
Encrypted:	false
SSDEEP:	98304:t+VDlD+ah2X5f2CiioP8peU/Ju4+iU2lfOZy81+1l:AnZYuTcRxuZiUiW9+1l
MD5:	DE584DD4970A8099454611EE0C739EA8
SHA1:	F22FE3BFB22B55D1F0DC2FD802A32D2BEB157E0B
SHA-256:	D0EFF53CFD30F061451987B4E98205D81F9495E8F26DEF46AEC15F7A4C171C20
SHA-512:	58470AB84C35022860036CB5DFDCCEC9BB1F1EBEA37E4745EFC70C464E2FFB9B9835A1251CDF76C012F56DD0A72A4D448B0AC298DA02F4676EBCCCC03B2A0B76
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....\|......X.X...........@..........................`~......W2......................................a..........8....................P~..............................p...............................6..@................... ........................... ..` 2~..........................@..@ 0I...P......................@....rsrc...8...........................@..@ X........r..................@..B.idata.......`.......r..............@....tls.........p.......v...................themida..>..........x..............`....boot....F&...X..F&..x..............`..`.reloc.......P~.......1................@................................................................

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\AlCsIOd0pd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Download File

Process:	C:\Users\user\Desktop\AlCsIOd0pd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3259920
Entropy (8bit):	7.966792574709497
Encrypted:	false
SSDEEP:	98304:t+VDlD+ah2X5f2CiioP8peU/Ju4+iU2lfOZy81+1l:AnZYuTcRxuZiUiW9+1l
MD5:	DE584DD4970A8099454611EE0C739EA8
SHA1:	F22FE3BFB22B55D1F0DC2FD802A32D2BEB157E0B
SHA-256:	D0EFF53CFD30F061451987B4E98205D81F9495E8F26DEF46AEC15F7A4C171C20
SHA-512:	58470AB84C35022860036CB5DFDCCEC9BB1F1EBEA37E4745EFC70C464E2FFB9B9835A1251CDF76C012F56DD0A72A4D448B0AC298DA02F4676EBCCCC03B2A0B76
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....\|......X.X...........@..........................`~......W2......................................a..........8....................P~..............................p...............................6..@................... ........................... ..` 2~..........................@..@ 0I...P......................@....rsrc...8...........................@..@ X........r..................@..B.idata.......`.......r..............@....tls.........p.......v...................themida..>..........x..............`....boot....F&...X..F&..x..............`..`.reloc.......P~.......1................@................................................................

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\AlCsIOd0pd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Download File

Process:	C:\Users\user\Desktop\AlCsIOd0pd.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	13
Entropy (8bit):	2.8731406795131336
Encrypted:	false
SSDEEP:	3:L1VRXxn:TRXxn
MD5:	2D8F5D015AFD07E66F8F107CA36CCB48
SHA1:	FD9059874E9195951B8F1BEC90C2006B3263A6C9
SHA-256:	6C8364F8F9303EAE139976F9FDA7A9231F560D1173BBD4CC8C6A0269CCBB555D
SHA-512:	EBAE6B06D775C9BC8DFCDA058DE1DD41784C074409D2D17DBB399037E5635F3C7993E8670F64376AA8FCDAF5795FBF152134C3C356FF37E5070C1648306FD722
Malicious:	false
Reputation:	low
Preview:	1718904293224

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.966792574709497
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	AlCsIOd0pd.exe
File size:	3'259'920 bytes
MD5:	de584dd4970a8099454611ee0c739ea8
SHA1:	f22fe3bfb22b55d1f0dc2fd802a32d2beb157e0b
SHA256:	d0eff53cfd30f061451987b4e98205d81f9495e8f26def46aec15f7a4c171c20
SHA512:	58470ab84c35022860036cb5dfdccec9bb1f1ebea37e4745efc70c464e2ffb9b9835a1251cdf76c012f56dd0a72a4d448b0ac298da02f4676ebcccc03b2a0b76
SSDEEP:	98304:t+VDlD+ah2X5f2CiioP8peU/Ju4+iU2lfOZy81+1l:AnZYuTcRxuZiUiW9+1l
TLSH:	94E533201ED31790C1B713F6AE7B2D1A1B43F26A51B47D20812F7ED9D9AE21C6BD506C
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

File Icon


Icon Hash:	8596a1a0a1a1b171

Static PE Info

General

Entrypoint:	0x980058
Entrypoint Section:	.boot
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x664C6914 [Tue May 21 09:27:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	63814aaf116ba6abb6496ce4bcad24c6

Entrypoint Preview

Instruction
call 00007FD0F11318A0h
push ebx
mov ebx, esp
push ebx
mov esi, dword ptr [ebx+08h]
mov edi, dword ptr [ebx+10h]
cld
mov dl, 80h
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
mov ebx, 00000002h
add dl, dl
jne 00007FD0F1131757h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jnc 00007FD0F113173Ch
add dl, dl
jne 00007FD0F1131757h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jnc 00007FD0F11317A3h
xor eax, eax
add dl, dl
jne 00007FD0F1131757h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jnc 00007FD0F1131837h
add dl, dl
jne 00007FD0F1131757h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007FD0F1131757h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007FD0F1131757h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007FD0F1131757h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
je 00007FD0F113175Ah
push edi
mov eax, eax
sub edi, eax
mov al, byte ptr [edi]
pop edi
mov byte ptr [edi], al
inc edi
mov ebx, 00000002h
jmp 00007FD0F11316EBh
mov eax, 00000001h
add dl, dl
jne 00007FD0F1131757h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007FD0F1131757h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jc 00007FD0F113173Ch
sub eax, ebx
mov ebx, 00000001h
jne 00007FD0F113177Ah
mov ecx, 00000001h
add dl, dl
jne 00007FD0F1131757h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
adc ecx, ecx
add dl, dl
jne 00007FD0F1131757h
mov dl, byte ptr [esi]
inc esi
adc dl, dl
jc 00007FD0F113173Ch
push esi
mov esi, edi
sub esi, ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19618b	0x184	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18a000	0x1638	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7e5000	0x10	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x197018	0x18	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x18369c	0x40
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x15bbc8	0x9d200	72be48f03fa29b125860aa4b7040515f	False	0.9988486351431981	data	7.980197821543003	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
	0x15d000	0x27e32	0x10a00	632b628419d20fc973bcfda8cff5f3be	False	0.9942874765037594	data	7.949044417592158	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x185000	0x4930	0x800	13c7d36a38dc58d8a970d8d422275803	False	0.98974609375	OpenPGP Public Key	7.765144396837099	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x18a000	0x1638	0x1800	fe6f3fdb9e7e97cba92d8ce4e4fcc95b	False	0.7220052083333334	data	6.54017046361188	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x18c000	0x9858	0x7200	96fc680932cb7019c6055702e4e238e3	False	0.9789953399122807	data	7.930725168164811	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x196000	0x1000	0x400	1b20e07443fa333ff9692026d1e6c6c2	False	0.3984375	data	3.42439969016873	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x197000	0x1000	0x200	54a50a058e0f3b6aa2fe1b22e2033106	False	0.056640625	data	0.18120187678200297	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.themida	0x198000	0x3e8000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.boot	0x580000	0x264600	0x264600	53baa03dffef8344a9262941737c70c7	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x7e5000	0x1000	0x10	f5bc99b71bad9e8a775cc32747e3ca58	False	1.5	GLS_BINARY_LSB_FIRST	2.474601752714581	IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x18a440	0x1060	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia	0.8838263358778626
RT_GROUP_ICON	0x18b4a0	0x14	data	Russian	Russia	1.05
RT_VERSION	0x18a130	0x310	data	Russian	Russia	0.45408163265306123
RT_MANIFEST	0x18b4b8	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	GetModuleHandleA
USER32.dll	wsprintfA
GDI32.dll	CreateCompatibleBitmap
ADVAPI32.dll	RegQueryValueExA
SHELL32.dll	ShellExecuteA
ole32.dll	CoInitialize
WS2_32.dll	WSAStartup
CRYPT32.dll	CryptUnprotectData
SHLWAPI.dll	PathFindExtensionA
gdiplus.dll	GdipGetImageEncoders
SETUPAPI.dll	SetupDiEnumDeviceInfo
ntdll.dll	RtlUnicodeStringToAnsiString
RstrtMgr.DLL	RmStartSession

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/20/24-18:18:46.029864	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49741	58709	192.168.2.4	77.91.77.66
06/20/24-18:16:18.111786	TCP	2049060	ET TROJAN RisePro TCP Heartbeat Packet	49731	58709	192.168.2.4	77.91.77.66
06/20/24-18:18:43.639253	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49732	58709	192.168.2.4	77.91.77.66
06/20/24-18:18:46.029916	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49735	58709	192.168.2.4	77.91.77.66
06/20/24-18:18:45.967425	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49731	58709	192.168.2.4	77.91.77.66
06/20/24-18:16:22.687972	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49732	77.91.77.66	192.168.2.4
06/20/24-18:16:40.743118	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49741	77.91.77.66	192.168.2.4
06/20/24-18:16:18.693887	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49731	77.91.77.66	192.168.2.4
06/20/24-18:16:22.714525	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49733	77.91.77.66	192.168.2.4
06/20/24-18:18:43.701803	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49733	58709	192.168.2.4	77.91.77.66
06/20/24-18:16:34.458767	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49735	77.91.77.66	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 20, 2024 18:16:18.082406998 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:18.087196112 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:16:18.087280989 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:18.111785889 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:18.116616964 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:16:18.693886995 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:16:18.748128891 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:21.826422930 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:21.849236012 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:16:22.083770037 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:22.084619045 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:22.088967085 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:16:22.089078903 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:22.090025902 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:16:22.090116024 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:22.097835064 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:22.097959995 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:22.102804899 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:16:22.103224039 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:16:22.687972069 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:16:22.714524984 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:16:22.732546091 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:22.763778925 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:25.810913086 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:25.816184998 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:16:25.826411963 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:25.831402063 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:16:33.820631027 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:33.827883959 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:16:33.827955961 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:33.850049019 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:33.855003119 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:16:34.458766937 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:16:34.513776064 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:37.592094898 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:37.597034931 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:16:40.131934881 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:40.137490034 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:16:40.137599945 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:40.154479027 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:40.159463882 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:16:40.743118048 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:16:40.795069933 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:43.857678890 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:43.862550020 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:16:53.139162064 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:53.144341946 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:16:57.092277050 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:57.097079992 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:16:57.170197964 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:16:57.175059080 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:08.920384884 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:08.925599098 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:11.936005116 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:11.941045046 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:15.185986042 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:15.190887928 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:15.873939037 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:15.879354954 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:15.967291117 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:15.972165108 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:21.310914993 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:21.316880941 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:24.454423904 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:24.459355116 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:25.279653072 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:25.284882069 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:25.389334917 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:25.394721985 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:27.576925993 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:27.582823038 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:27.702027082 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:27.708401918 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:28.420510054 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:28.425458908 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:28.517594099 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:28.522556067 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:30.736263990 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:30.745033026 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:31.561017036 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:31.566310883 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:31.654854059 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:31.659856081 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:33.858002901 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:33.863140106 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:33.967370033 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:33.973140955 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:34.686566114 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:34.692332029 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:34.780193090 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:34.785100937 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:36.998781919 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:37.003981113 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:37.108062983 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:37.112979889 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:37.826740980 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:37.832756996 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:37.906755924 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:37.911712885 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:40.123719931 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:40.128653049 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:40.248564005 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:40.253926992 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:40.967447042 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:40.972373962 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:41.029810905 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:41.034718037 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:43.264266968 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:43.269362926 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:43.373465061 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:43.376195908 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:43.380398989 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:43.381427050 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:44.092204094 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:44.097125053 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:44.170373917 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:44.175200939 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:46.404901028 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:46.409967899 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:46.498620033 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:46.498620033 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:46.503508091 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:46.503520012 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:47.217345953 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:47.222398043 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:47.295483112 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:47.300584078 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:49.545661926 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:49.550859928 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:49.623709917 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:49.627721071 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:49.628674984 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:49.632498026 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:50.342365980 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:50.347349882 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:50.436182022 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:50.441106081 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:52.670891047 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:52.676013947 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:52.748569965 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:52.748569965 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:52.754863977 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:52.754878044 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:53.467386961 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:53.472249031 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:53.576813936 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:53.581693888 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:55.795363903 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:55.800189018 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:55.889224052 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:55.889260054 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:55.894006014 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:55.894095898 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:56.607949972 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:56.613042116 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:56.717566967 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:56.722527981 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:58.937108994 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:58.942126989 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:59.014260054 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:59.014303923 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:59.020181894 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:59.020253897 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:59.748775959 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:59.753906965 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:17:59.858185053 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:17:59.863053083 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:02.061353922 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:02.066590071 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:02.154870987 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:02.154917002 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:02.160830021 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:02.160846949 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:02.889441013 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:02.896599054 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:02.983768940 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:02.991080046 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:05.201714993 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:05.206844091 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:05.295502901 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:05.300564051 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:05.300678968 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:05.305542946 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:06.014344931 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:06.019401073 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:06.108160973 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:06.113195896 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:08.343862057 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:08.348886013 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:08.420466900 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:08.424453020 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:08.425554037 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:08.429310083 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:09.154839993 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:09.160027981 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:09.248553991 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:09.254897118 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:11.483021975 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:11.488552094 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:11.561369896 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:11.561443090 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:11.570662022 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:11.571245909 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:12.279865026 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:12.285075903 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:12.389247894 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:12.394246101 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:14.623620033 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:14.628688097 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:14.686108112 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:14.686141968 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:14.691111088 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:14.691131115 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:15.404898882 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:15.412401915 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:15.514271021 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:15.519392967 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:17.749006987 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:17.753881931 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:17.826817036 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:17.826817036 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:17.834220886 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:17.834240913 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:18.545907021 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:18.550836086 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:18.639486074 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:18.644351959 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:20.874095917 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:20.879035950 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:20.967571974 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:20.967650890 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:20.973581076 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:20.973701000 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:21.670627117 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:21.675652027 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:21.780040979 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:21.785063028 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:24.014272928 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:24.020559072 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:24.108004093 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:24.108004093 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:24.298521996 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:24.298697948 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:24.811269045 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:24.816102982 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:24.905145884 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:24.910788059 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:27.154906034 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:27.159956932 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:27.248706102 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:27.248742104 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:27.254652977 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:27.254673004 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:27.951773882 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:27.956631899 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:28.045533895 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:28.051101923 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:30.295551062 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:30.389306068 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:30.391441107 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:30.493395090 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:30.493438005 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:30.493468046 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:31.092443943 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:31.097237110 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:31.170707941 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:31.175538063 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:33.420533895 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:33.425492048 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:33.514206886 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:33.514251947 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:33.519130945 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:33.519500017 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:34.233072042 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:34.237952948 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:34.311182022 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:34.317667961 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:36.561214924 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:36.566143036 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:36.639219046 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:36.639262915 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:36.645170927 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:36.645188093 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:37.373574972 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:37.378360987 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:37.436151981 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:37.441423893 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:39.686177969 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:39.690995932 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:39.764250994 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:39.764300108 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:39.769045115 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:39.769207954 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:40.514302015 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:40.519665956 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:40.576776028 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:40.581871033 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:42.826821089 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:42.831593990 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:42.905057907 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:42.905111074 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:42.911545992 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:42.911560059 CEST	58709	49735	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:43.639252901 CEST	49732	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:43.644092083 CEST	58709	49732	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:43.701802969 CEST	49733	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:43.706597090 CEST	58709	49733	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:45.967425108 CEST	49731	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:45.972402096 CEST	58709	49731	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:46.029864073 CEST	49741	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:46.029916048 CEST	49735	58709	192.168.2.4	77.91.77.66
Jun 20, 2024 18:18:46.035264015 CEST	58709	49741	77.91.77.66	192.168.2.4
Jun 20, 2024 18:18:46.035303116 CEST	58709	49735	77.91.77.66	192.168.2.4

Target ID:	0
Start time:	12:16:14
Start date:	20/06/2024
Path:	C:\Users\user\Desktop\AlCsIOd0pd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\AlCsIOd0pd.exe"
Imagebase:	0x400000
File size:	3'259'920 bytes
MD5 hash:	DE584DD4970A8099454611EE0C739EA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	12:16:16
Start date:	20/06/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0xb50000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:16:16
Start date:	20/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:16:16
Start date:	20/06/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Imagebase:	0xb50000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:16:16
Start date:	20/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:16:18
Start date:	20/06/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x400000
File size:	3'259'920 bytes
MD5 hash:	DE584DD4970A8099454611EE0C739EA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	12:16:18
Start date:	20/06/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x400000
File size:	3'259'920 bytes
MD5 hash:	DE584DD4970A8099454611EE0C739EA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	12:16:29
Start date:	20/06/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x400000
File size:	3'259'920 bytes
MD5 hash:	DE584DD4970A8099454611EE0C739EA8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	12:16:37
Start date:	20/06/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x400000
File size:	3'259'920 bytes
MD5 hash:	DE584DD4970A8099454611EE0C739EA8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AlCsIOd0pd.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\MPGPH131\MPGPH131.exe

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Windows Analysis Report
AlCsIOd0pd.exe