Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
YnsEArPlqx.exe

Overview

General Information

Sample name:YnsEArPlqx.exe
renamed because original name is a hash value
Original sample name:ab8e88bff0b907fc49b949d704490018.exe
Analysis ID:1460294
MD5:ab8e88bff0b907fc49b949d704490018
SHA1:559f2f2b61bd344293f7cbc78b72d8e368910ae3
SHA256:921c5314fc334bac928a8398da1c8341b1021cf92ae83bf8b872d422f2e7ef8f
Tags:exeRiseProStealer
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Uses schtasks.exe or at.exe to add and modify task schedules
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • YnsEArPlqx.exe (PID: 7408 cmdline: "C:\Users\user\Desktop\YnsEArPlqx.exe" MD5: AB8E88BFF0B907FC49B949D704490018)
    • schtasks.exe (PID: 7528 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7576 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • MPGPH131.exe (PID: 7632 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: AB8E88BFF0B907FC49B949D704490018)
  • MPGPH131.exe (PID: 7640 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: AB8E88BFF0B907FC49B949D704490018)
  • RageMP131.exe (PID: 7852 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: AB8E88BFF0B907FC49B949D704490018)
  • RageMP131.exe (PID: 8008 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: AB8E88BFF0B907FC49B949D704490018)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: YnsEArPlqx.exe PID: 7408JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    Process Memory Space: MPGPH131.exe PID: 7632JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
      Process Memory Space: MPGPH131.exe PID: 7640JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
        Process Memory Space: RageMP131.exe PID: 7852JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
          Process Memory Space: RageMP131.exe PID: 8008JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\YnsEArPlqx.exe, ProcessId: 7408, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

            Snort Signatures

            Timestamp:06/20/24-18:59:13.624078
            SID:2046269
            Source Port:49741
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/20/24-18:58:58.560662
            SID:2046269
            Source Port:49732
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/20/24-18:58:52.840391
            SID:2046269
            Source Port:49731
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/20/24-18:57:14.894991
            SID:2049060
            Source Port:49731
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/20/24-18:59:07.355875
            SID:2046269
            Source Port:49739
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/20/24-18:57:18.828226
            SID:2046266
            Source Port:58709
            Destination Port:49732
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/20/24-18:58:03.049093
            SID:2046267
            Source Port:58709
            Destination Port:49741
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/20/24-18:57:35.040865
            SID:2046266
            Source Port:58709
            Destination Port:49741
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/20/24-18:57:15.478080
            SID:2046266
            Source Port:58709
            Destination Port:49731
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/20/24-18:57:18.837910
            SID:2046266
            Source Port:58709
            Destination Port:49733
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/20/24-18:58:58.606045
            SID:2046269
            Source Port:49733
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/20/24-18:57:40.684951
            SID:2046267
            Source Port:58709
            Destination Port:49739
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/20/24-18:57:26.019896
            SID:2046266
            Source Port:58709
            Destination Port:49739
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/20/24-18:57:40.086663
            SID:2046267
            Source Port:58709
            Destination Port:49731
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/20/24-18:57:40.210568
            SID:2046267
            Source Port:58709
            Destination Port:49732
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:06/20/24-18:57:40.261626
            SID:2046267
            Source Port:58709
            Destination Port:49733
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://77.91.77.81/mine/amadka.exeisepro_botAvira URL Cloud: Label: phishing
            Source: http://77.91.77.81/mine/amadka.exeAvira URL Cloud: Label: phishing
            Source: http://77.91.77.81/cost/go.exeAvira URL Cloud: Label: phishing
            Source: http://77.91.77.81/mine/amadka.exe3377bAvira URL Cloud: Label: phishing
            Source: http://77.91.77.81/mine/amadka.exe.1Avira URL Cloud: Label: phishing
            Source: http://77.91.77.81/cost/lenin.exe0.1Avira URL Cloud: Label: phishing
            Source: http://77.91.77.81/cost/lenin.eAvira URL Cloud: Label: phishing
            Source: http://77.91.77.81/mine/amadka.exeBAvira URL Cloud: Label: phishing
            Source: http://77.91.77.81/cost/go.exeT3EUAvira URL Cloud: Label: phishing
            Source: http://77.91.77.81/mine/amadka.exeisepro_botA%Avira URL Cloud: Label: phishing
            Source: http://77.91.77.81/cost/lenin.exek.comAvira URL Cloud: Label: phishing
            Source: http://77.91.77.81/cost/go.exew9uAvira URL Cloud: Label: phishing
            Source: http://77.91.77.81/cost/lenin.exe/riseproAvira URL Cloud: Label: phishing
            Source: http://77.91.77.81/mine/amadka.exe0.1Avira URL Cloud: Label: phishing
            Source: http://77.91.77.81/cost/go.exeOPAvira URL Cloud: Label: phishing
            Source: http://77.91.77.81/cost/lenin.exeAvira URL Cloud: Label: malware
            Multi AV Scanner detection for dropped file
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeReversingLabs: Detection: 55%
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeReversingLabs: Detection: 55%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJoe Sandbox ML: detected
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: YnsEArPlqx.exeJoe Sandbox ML: detected
            Source: YnsEArPlqx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49742 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49744 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49743 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49745 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49747 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49746 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49748 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49749 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49751 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49752 version: TLS 1.2
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,0_2_00431F9C
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00431F9C FindClose,FindFirstFileExW,GetLastError,6_2_00431F9C
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00431F9C FindClose,FindFirstFileExW,GetLastError,7_2_00431F9C

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49731 -> 77.91.77.66:58709
            Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49731
            Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49731 -> 77.91.77.66:58709
            Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49732
            Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49733
            Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49732 -> 77.91.77.66:58709
            Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49733 -> 77.91.77.66:58709
            Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49739
            Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49739 -> 77.91.77.66:58709
            Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49741
            Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49741 -> 77.91.77.66:58709
            Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49731
            Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49732
            Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49733
            Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49739
            Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49741
            Connects to many ports of the same IP (likely port scanning)
            Source: global trafficTCP traffic: 77.91.77.66 ports 0,5,7,8,58709,9
            Source: global trafficTCP traffic: 192.168.2.4:49731 -> 77.91.77.66:58709
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
            Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
            Source: Joe Sandbox ViewIP Address: 172.67.75.166 172.67.75.166
            Source: Joe Sandbox ViewIP Address: 77.91.77.66 77.91.77.66
            Source: Joe Sandbox ViewASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: unknownDNS query: name: ipinfo.io
            Source: unknownDNS query: name: ipinfo.io
            Source: unknownDNS query: name: ipinfo.io
            Source: unknownDNS query: name: ipinfo.io
            Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
            Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
            Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
            Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
            Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_00409280 recv,GetProcAddress,GetModuleHandleA,GetProcAddress,WSASend,0_2_00409280
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
            Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
            Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
            Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
            Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
            Source: global trafficDNS traffic detected: DNS query: ipinfo.io
            Source: global trafficDNS traffic detected: DNS query: db-ip.com
            Source: RageMP131.exe, 0000000C.00000002.3056865794.0000000000F59000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/go.exe
            Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000EFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/go.exeOP
            Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000EA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/go.exeT3EU
            Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/go.exew9u
            Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.e
            Source: RageMP131.exe, 0000000C.00000002.3056865794.0000000000F59000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exe
            Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exe/risepro
            Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exe0.1
            Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exek.com
            Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exe
            Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exe.1
            Source: RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exe0.1
            Source: MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exe3377b
            Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exeB
            Source: MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exeisepro_bot
            Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exeisepro_botA%
            Source: YnsEArPlqx.exe, 00000000.00000003.1815516370.0000000002980000.00000004.00001000.00020000.00000000.sdmp, YnsEArPlqx.exe, 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1854273690.0000000002860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1854619896.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000B.00000003.1930519219.0000000002740000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3053466368.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000002.3053447329.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2009098412.0000000002840000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
            Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/
            Source: RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/L
            Source: RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/V
            Source: MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3055498202.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33
            Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000EC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.333
            Source: MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33f7
            Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000EFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33k
            Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33w
            Source: RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/h
            Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/oV
            Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EE9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33
            Source: RageMP131.exe, 0000000B.00000002.3055498202.0000000000C5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.338
            Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33H
            Source: MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33M
            Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
            Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000E45000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
            Source: YnsEArPlqx.exe, 00000000.00000003.1815516370.0000000002980000.00000004.00001000.00020000.00000000.sdmp, YnsEArPlqx.exe, 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1854273690.0000000002860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1854619896.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000B.00000003.1930519219.0000000002740000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3053466368.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000002.3053447329.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2009098412.0000000002840000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
            Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/s
            Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D2C000.00000004.00000020.00020000.00000000.sdmp, YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000E1A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3055498202.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3055498202.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000E7C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
            Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33NA
            Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33P.tmp
            Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000E45000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933668257.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056302312.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
            Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.%9
            Source: MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.h
            Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3055498202.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000E67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT
            Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTf
            Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000DCD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTt
            Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000E67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTv
            Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro
            Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot
            Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot3ABbfQUY
            Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot8
            Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botClyf(U3
            Source: RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botK:
            Source: MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botlater
            Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botrisep
            Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot~
            Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49742 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49744 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49743 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49745 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49747 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49746 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49748 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49749 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49751 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49752 version: TLS 1.2

            System Summary

            barindex
            PE file contains section with special chars
            Source: YnsEArPlqx.exeStatic PE information: section name:
            Source: YnsEArPlqx.exeStatic PE information: section name:
            Source: YnsEArPlqx.exeStatic PE information: section name:
            Source: YnsEArPlqx.exeStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_0043C9600_2_0043C960
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_0043A9280_2_0043A928
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_004371A00_2_004371A0
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_0044DA860_2_0044DA86
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_0044036F0_2_0044036F
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_00458BB00_2_00458BB0
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_004EFC400_2_004EFC40
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_0042F5800_2_0042F580
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_004526100_2_00452610
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_004F2FD00_2_004F2FD0
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_004547BF0_2_004547BF
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0043C9606_2_0043C960
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0043A9286_2_0043A928
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004371A06_2_004371A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0044DA866_2_0044DA86
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0044036F6_2_0044036F
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00458BB06_2_00458BB0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004EFC406_2_004EFC40
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0042F5806_2_0042F580
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004526106_2_00452610
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004F2FD06_2_004F2FD0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004547BF6_2_004547BF
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_0043C9607_2_0043C960
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_0043A9287_2_0043A928
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_004371A07_2_004371A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_0044DA867_2_0044DA86
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_0044036F7_2_0044036F
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00458BB07_2_00458BB0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_004EFC407_2_004EFC40
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_0042F5807_2_0042F580
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_004526107_2_00452610
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_004F2FD07_2_004F2FD0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_004547BF7_2_004547BF
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 00434380 appears 48 times
            Source: YnsEArPlqx.exeBinary or memory string: OriginalFilename vs YnsEArPlqx.exe
            Source: YnsEArPlqx.exe, 00000000.00000000.1811623951.000000000058A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedotnet.exe6 vs YnsEArPlqx.exe
            Source: YnsEArPlqx.exe, 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedotnet.exe6 vs YnsEArPlqx.exe
            Source: YnsEArPlqx.exeBinary or memory string: OriginalFilenamedotnet.exe6 vs YnsEArPlqx.exe
            Source: YnsEArPlqx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: YnsEArPlqx.exeStatic PE information: Section: ZLIB complexity 0.9987973597852029
            Source: YnsEArPlqx.exeStatic PE information: Section: ZLIB complexity 0.994140625
            Source: YnsEArPlqx.exeStatic PE information: Section: .reloc ZLIB complexity 1.5
            Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9987973597852029
            Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.994140625
            Source: RageMP131.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
            Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9987973597852029
            Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.994140625
            Source: MPGPH131.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
            Source: classification engineClassification label: mal100.troj.evad.winEXE@11/5@3/3
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeFile created: C:\Users\user\AppData\Local\Temp\rage131MP.tmpJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: YnsEArPlqx.exe, 00000000.00000003.1815516370.0000000002980000.00000004.00001000.00020000.00000000.sdmp, YnsEArPlqx.exe, 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1854273690.0000000002860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1854619896.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000B.00000003.1930519219.0000000002740000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3053466368.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000002.3053447329.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2009098412.0000000002840000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: YnsEArPlqx.exe, 00000000.00000003.1815516370.0000000002980000.00000004.00001000.00020000.00000000.sdmp, YnsEArPlqx.exe, 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1854273690.0000000002860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1854619896.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000B.00000003.1930519219.0000000002740000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3053466368.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000002.3053447329.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2009098412.0000000002840000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: YnsEArPlqx.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
            Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
            Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeFile read: C:\Users\user\Desktop\YnsEArPlqx.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\YnsEArPlqx.exe "C:\Users\user\Desktop\YnsEArPlqx.exe"
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
            Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
            Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: d3d11.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: d3d10warp.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: dxcore.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dllJump to behavior
            Source: YnsEArPlqx.exeStatic file information: File size 3270672 > 1048576
            Source: YnsEArPlqx.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x267000
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
            Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
            Source: YnsEArPlqx.exeStatic PE information: section name:
            Source: YnsEArPlqx.exeStatic PE information: section name:
            Source: YnsEArPlqx.exeStatic PE information: section name:
            Source: YnsEArPlqx.exeStatic PE information: section name:
            Source: YnsEArPlqx.exeStatic PE information: section name: .themida
            Source: YnsEArPlqx.exeStatic PE information: section name: .boot
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name: .themida
            Source: RageMP131.exe.0.drStatic PE information: section name: .boot
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name: .themida
            Source: MPGPH131.exe.0.drStatic PE information: section name: .boot
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_0058901C push eax; iretd 0_2_0058901D
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_006E1593 push ecx; mov dword ptr [esp], ebp0_2_00822BC8
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_006E1593 push 57F325EEh; mov dword ptr [esp], eax0_2_00822C06
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_006E1593 push edi; mov dword ptr [esp], ebp0_2_00822C19
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_006E1593 push eax; mov dword ptr [esp], ecx0_2_00822C1D
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_006E1593 push 0F00E9F4h; mov dword ptr [esp], eax0_2_00822C7A
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_00433F59 push ecx; ret 0_2_00433F6C
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_006E1593 push ecx; mov dword ptr [esp], ebp6_2_00822BC8
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_006E1593 push 57F325EEh; mov dword ptr [esp], eax6_2_00822C06
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_006E1593 push edi; mov dword ptr [esp], ebp6_2_00822C19
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_006E1593 push eax; mov dword ptr [esp], ecx6_2_00822C1D
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_006E1593 push 0F00E9F4h; mov dword ptr [esp], eax6_2_00822C7A
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00433F59 push ecx; ret 6_2_00433F6C
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_006E1593 push ecx; mov dword ptr [esp], ebp7_2_00822BC8
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_006E1593 push 57F325EEh; mov dword ptr [esp], eax7_2_00822C06
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_006E1593 push edi; mov dword ptr [esp], ebp7_2_00822C19
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_006E1593 push eax; mov dword ptr [esp], ecx7_2_00822C1D
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_006E1593 push 0F00E9F4h; mov dword ptr [esp], eax7_2_00822C7A
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00433F59 push ecx; ret 7_2_00433F6C
            Source: YnsEArPlqx.exeStatic PE information: section name: entropy: 7.981638520890903
            Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.981638520890903
            Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.981638520890903
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior

            Malware Analysis System Evasion

            barindex
            Found stalling execution ending in API Sleep call
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeStalling execution: Execution stalls by calling Sleepgraph_0-13672
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeStalling execution: Execution stalls by calling Sleepgraph_6-14101
            Query firmware table information (likely to detect VMs)
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSystem information queried: FirmwareTableInformationJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSystem information queried: FirmwareTableInformationJump to behavior
            Tries to detect sandboxes / dynamic malware analysis system (registry check)
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-13677
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_6-14116
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_6-16081
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-16274
            Source: C:\Users\user\Desktop\YnsEArPlqx.exe TID: 7412Thread sleep count: 212 > 30Jump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exe TID: 7624Thread sleep count: 39 > 30Jump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exe TID: 7412Thread sleep count: 313 > 30Jump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exe TID: 7412Thread sleep time: -31613s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exe TID: 7412Thread sleep count: 146 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7636Thread sleep count: 41 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7636Thread sleep count: 185 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7676Thread sleep count: 38 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7636Thread sleep count: 313 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7636Thread sleep time: -31613s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7636Thread sleep count: 143 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7644Thread sleep count: 40 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7644Thread sleep count: 184 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7672Thread sleep count: 39 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7644Thread sleep count: 311 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7644Thread sleep time: -31411s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7644Thread sleep count: 145 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7856Thread sleep count: 127 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7952Thread sleep count: 35 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7856Thread sleep count: 317 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7856Thread sleep time: -32017s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7856Thread sleep count: 144 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8012Thread sleep count: 91 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8012Thread sleep count: 244 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8028Thread sleep count: 35 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8012Thread sleep count: 284 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8012Thread sleep count: 144 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8012Thread sleep count: 121 > 30Jump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,0_2_00431F9C
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00431F9C FindClose,FindFirstFileExW,GetLastError,6_2_00431F9C
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00431F9C FindClose,FindFirstFileExW,GetLastError,7_2_00431F9C
            Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000DCD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
            Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
            Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000EC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}E
            Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000E60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&s
            Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000EC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
            Source: RageMP131.exe, 0000000C.00000003.2035826187.0000000000EC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
            Source: YnsEArPlqx.exe, 00000000.00000003.1840354529.0000000000D44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Cz
            Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EFF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EB1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
            Source: RageMP131.exe, 0000000B.00000003.1945525195.0000000000C61000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: RageMP131.exe, 0000000C.00000003.2035826187.0000000000EC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Q
            Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D2C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3055498202.0000000000C4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
            Source: RageMP131.exe, 0000000B.00000002.3055498202.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&9
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00438A64
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00438A64
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043451D
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00438A64
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0043451D
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00438A64
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_0043451D

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Contains functionality to inject threads in other processes
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,6_2_004CF280
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,7_2_004CF280
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: GetLocaleInfoW,0_2_004531CA
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: EnumSystemLocalesW,0_2_0044B1B1
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004532F3
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00452B5A
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: GetLocaleInfoW,0_2_004533F9
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004534CF
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: GetLocaleInfoW,0_2_00452D5F
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: EnumSystemLocalesW,0_2_00452E51
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: EnumSystemLocalesW,0_2_00452E06
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: EnumSystemLocalesW,0_2_00452EEC
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00452F77
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: GetLocaleInfoW,0_2_0044B734
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,6_2_004531CA
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,6_2_0044B1B1
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_004532F3
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,6_2_00452B5A
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,6_2_004533F9
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_004534CF
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,6_2_00452D5F
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,6_2_00452E51
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,6_2_00452E06
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,6_2_00452EEC
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,6_2_00452F77
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,6_2_0044B734
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,7_2_004531CA
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,7_2_0044B1B1
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,7_2_004532F3
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,7_2_00452B5A
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,7_2_004533F9
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,7_2_004534CF
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,7_2_00452D5F
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,7_2_00452E51
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,7_2_00452E06
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,7_2_00452EEC
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,7_2_00452F77
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,7_2_0044B734
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeCode function: 0_2_0043361D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,0_2_0043361D
            Source: C:\Users\user\Desktop\YnsEArPlqx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected RisePro Stealer
            Source: Yara matchFile source: Process Memory Space: YnsEArPlqx.exe PID: 7408, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7632, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7640, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7852, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 8008, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected RisePro Stealer
            Source: Yara matchFile source: Process Memory Space: YnsEArPlqx.exe PID: 7408, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7632, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7640, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7852, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 8008, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Command and Scripting Interpreter            		1
            Scheduled Task/Job            		11
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		1
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		12
            Virtualization/Sandbox Evasion            		LSASS Memory321
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts2
            Native API            		1
            DLL Side-Loading            		1
            Registry Run Keys / Startup Folder            		11
            Process Injection            		Security Account Manager12
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive2
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		NTDS1
            System Network Configuration Discovery            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
            Obfuscated Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeylogging13
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Software Packing            		Cached Domain Credentials23
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1460294 Sample: YnsEArPlqx.exe Startdate: 20/06/2024 Architecture: WINDOWS Score: 100 35 ipinfo.io 2->35 37 db-ip.com 2->37 45 Snort IDS alert for network traffic 2->45 47 Antivirus detection for URL or domain 2->47 49 Yara detected RisePro Stealer 2->49 51 4 other signatures 2->51 8 YnsEArPlqx.exe 1 9 2->8         started        13 MPGPH131.exe 2 2->13         started        15 RageMP131.exe 2 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 39 77.91.77.66, 49731, 49732, 49733 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 8->39 41 ipinfo.io 34.117.186.192, 443, 49742, 49743 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->41 43 db-ip.com 172.67.75.166, 443, 49746, 49747 CLOUDFLARENETUS United States 8->43 27 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->27 dropped 29 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->29 dropped 31 C:\Users\...\RageMP131.exe:Zone.Identifier, ASCII 8->31 dropped 33 C:\...\MPGPH131.exe:Zone.Identifier, ASCII 8->33 dropped 53 Query firmware table information (likely to detect VMs) 8->53 55 Found stalling execution ending in API Sleep call 8->55 57 Contains functionality to inject threads in other processes 8->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 8->59 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        61 Multi AV Scanner detection for dropped file 13->61 63 Machine Learning detection for dropped file 13->63 65 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->65 file6 signatures7 process8 process9 23 conhost.exe 19->23         started        25 conhost.exe 21->25         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            YnsEArPlqx.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe100%Joe Sandbox ML
            C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML
            C:\ProgramData\MPGPH131\MPGPH131.exe55%ReversingLabsWin32.Trojan.RiseProStealer
            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe55%ReversingLabsWin32.Trojan.RiseProStealer

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://ipinfo.io/0%URL Reputationsafe
            https://t.me/RiseProSUPPORTv0%Avira URL Cloudsafe
            https://t.me/RiseProSUPPORTt0%Avira URL Cloudsafe
            http://77.91.77.81/mine/amadka.exeisepro_bot100%Avira URL Cloudphishing
            http://77.91.77.81/mine/amadka.exe100%Avira URL Cloudphishing
            http://77.91.77.81/cost/go.exe100%Avira URL Cloudphishing
            https://ipinfo.io:443/widget/demo/8.46.123.330%Avira URL Cloudsafe
            https://db-ip.com:443/demo/home.php?s=8.46.123.33H0%Avira URL Cloudsafe
            http://77.91.77.81/mine/amadka.exe3377b100%Avira URL Cloudphishing
            http://77.91.77.81/mine/amadka.exe.1100%Avira URL Cloudphishing
            https://db-ip.com:443/demo/home.php?s=8.46.123.33M0%Avira URL Cloudsafe
            https://t.me/RiseProSUPPORTf0%Avira URL Cloudsafe
            https://ipinfo.io/widget/demo/8.46.123.33NA0%Avira URL Cloudsafe
            https://ipinfo.io/widget/demo/8.46.123.33P.tmp0%Avira URL Cloudsafe
            http://77.91.77.81/cost/lenin.exe0.1100%Avira URL Cloudphishing
            https://ipinfo.io/s0%Avira URL Cloudsafe
            https://db-ip.com/0%Avira URL Cloudsafe
            https://db-ip.com/oV0%Avira URL Cloudsafe
            https://t.me/risepro0%Avira URL Cloudsafe
            https://ipinfo.io/widget/demo/8.46.123.330%Avira URL Cloudsafe
            https://db-ip.com/demo/home.php?s=8.46.123.33f70%Avira URL Cloudsafe
            http://77.91.77.81/cost/lenin.e100%Avira URL Cloudphishing
            https://db-ip.com:443/demo/home.php?s=8.46.123.330%Avira URL Cloudsafe
            http://77.91.77.81/mine/amadka.exeB100%Avira URL Cloudphishing
            https://db-ip.com/demo/home.php?s=8.46.123.3330%Avira URL Cloudsafe
            http://77.91.77.81/cost/go.exeT3EU100%Avira URL Cloudphishing
            https://db-ip.com/L0%Avira URL Cloudsafe
            https://t.me/risepro_bot80%Avira URL Cloudsafe
            http://77.91.77.81/mine/amadka.exeisepro_botA%100%Avira URL Cloudphishing
            https://t.me/risepro_botrisep0%Avira URL Cloudsafe
            https://db-ip.com/V0%Avira URL Cloudsafe
            https://t.me/risepro_bot~0%Avira URL Cloudsafe
            https://t.me/risepro_botClyf(U30%Avira URL Cloudsafe
            https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll0%Avira URL Cloudsafe
            https://t.me/RiseProSUPPORT0%Avira URL Cloudsafe
            https://t.me/risepro_botK:0%Avira URL Cloudsafe
            https://t.me/risepro_bot3ABbfQUY0%Avira URL Cloudsafe
            https://ipinfo.io/Mozilla/5.00%Avira URL Cloudsafe
            http://77.91.77.81/cost/lenin.exek.com100%Avira URL Cloudphishing
            http://77.91.77.81/cost/go.exew9u100%Avira URL Cloudphishing
            http://77.91.77.81/cost/lenin.exe/risepro100%Avira URL Cloudphishing
            https://db-ip.com/h0%Avira URL Cloudsafe
            https://t.me/risepro_botlater0%Avira URL Cloudsafe
            https://t.me/risepro_bot0%Avira URL Cloudsafe
            https://t.%90%Avira URL Cloudsafe
            http://77.91.77.81/mine/amadka.exe0.1100%Avira URL Cloudphishing
            http://77.91.77.81/cost/go.exeOP100%Avira URL Cloudphishing
            https://www.maxmind.com/en/locate-my-ip-address0%Avira URL Cloudsafe
            http://www.winimage.com/zLibDll0%Avira URL Cloudsafe
            https://db-ip.com/demo/home.php?s=8.46.123.33w0%Avira URL Cloudsafe
            https://db-ip.com/demo/home.php?s=8.46.123.330%Avira URL Cloudsafe
            https://db-ip.com/demo/home.php?s=8.46.123.33k0%Avira URL Cloudsafe
            http://77.91.77.81/cost/lenin.exe100%Avira URL Cloudmalware
            https://db-ip.com:443/demo/home.php?s=8.46.123.3380%Avira URL Cloudsafe
            https://t.h0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            ipinfo.io
            		34.117.186.192
            		truefalse
              		unknown
              db-ip.com
              		172.67.75.166
              		truefalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://ipinfo.io/widget/demo/8.46.123.33false
                • Avira URL Cloud: safe
                		unknown
                https://ipinfo.io/false
                • URL Reputation: safe
                		unknown
                https://db-ip.com/demo/home.php?s=8.46.123.33false
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://77.91.77.81/mine/amadka.exeRageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                		unknown
                http://77.91.77.81/mine/amadka.exeisepro_botMPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                		unknown
                https://ipinfo.io:443/widget/demo/8.46.123.33YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000E45000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933668257.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056302312.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://db-ip.com:443/demo/home.php?s=8.46.123.33MMPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://t.me/RiseProSUPPORTvRageMP131.exe, 0000000C.00000002.3055648642.0000000000E67000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://77.91.77.81/cost/go.exeRageMP131.exe, 0000000C.00000002.3056865794.0000000000F59000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EFF000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                		unknown
                https://t.me/RiseProSUPPORTtMPGPH131.exe, 00000006.00000002.3055816885.0000000000DCD000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://77.91.77.81/mine/amadka.exe.1MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                		unknown
                http://77.91.77.81/mine/amadka.exe3377bMPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                		unknown
                https://db-ip.com:443/demo/home.php?s=8.46.123.33HYnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://db-ip.com/YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://db-ip.com/oVMPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://ipinfo.io/widget/demo/8.46.123.33NAMPGPH131.exe, 00000006.00000002.3055816885.0000000000E1A000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://t.me/RiseProSUPPORTfYnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://77.91.77.81/cost/lenin.exe0.1RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                		unknown
                https://t.me/riseproMPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://ipinfo.io/widget/demo/8.46.123.33P.tmpYnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D2C000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://ipinfo.io/sMPGPH131.exe, 00000006.00000002.3055816885.0000000000E01000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://db-ip.com/demo/home.php?s=8.46.123.33f7MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://77.91.77.81/cost/lenin.eMPGPH131.exe, 00000006.00000002.3055816885.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                		unknown
                https://db-ip.com:443/demo/home.php?s=8.46.123.33MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EE9000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://77.91.77.81/mine/amadka.exeBYnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                		unknown
                https://db-ip.com/demo/home.php?s=8.46.123.333RageMP131.exe, 0000000C.00000002.3055648642.0000000000EC2000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://t.me/risepro_bot8YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://db-ip.com/LRageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://77.91.77.81/mine/amadka.exeisepro_botA%RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                		unknown
                http://77.91.77.81/cost/go.exeT3EUMPGPH131.exe, 00000006.00000002.3055816885.0000000000EA4000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                		unknown
                https://t.me/risepro_botrisepRageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://db-ip.com/VRageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://t.me/risepro_botClyf(U3MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://t.me/risepro_bot~YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dllYnsEArPlqx.exe, 00000000.00000003.1815516370.0000000002980000.00000004.00001000.00020000.00000000.sdmp, YnsEArPlqx.exe, 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1854273690.0000000002860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1854619896.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000B.00000003.1930519219.0000000002740000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3053466368.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000002.3053447329.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2009098412.0000000002840000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://t.me/risepro_botK:RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://t.me/RiseProSUPPORTYnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3055498202.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000E67000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://t.me/risepro_bot3ABbfQUYMPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://77.91.77.81/cost/lenin.exek.comMPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                		unknown
                https://ipinfo.io/Mozilla/5.0YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000E45000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://77.91.77.81/cost/go.exew9uYnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                		unknown
                http://77.91.77.81/cost/lenin.exe/riseproYnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                		unknown
                https://db-ip.com/hRageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://t.me/risepro_botRageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F4E000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://t.me/risepro_botlaterMPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://t.%9YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://77.91.77.81/mine/amadka.exe0.1RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                		unknown
                https://www.maxmind.com/en/locate-my-ip-addressMPGPH131.exefalse
                • Avira URL Cloud: safe
                		unknown
                http://77.91.77.81/cost/go.exeOPRageMP131.exe, 0000000C.00000002.3055648642.0000000000EFF000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: phishing
                		unknown
                http://www.winimage.com/zLibDllYnsEArPlqx.exe, 00000000.00000003.1815516370.0000000002980000.00000004.00001000.00020000.00000000.sdmp, YnsEArPlqx.exe, 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1854273690.0000000002860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1854619896.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000B.00000003.1930519219.0000000002740000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3053466368.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000002.3053447329.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2009098412.0000000002840000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://db-ip.com/demo/home.php?s=8.46.123.33wYnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://t.hMPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://db-ip.com/demo/home.php?s=8.46.123.33kRageMP131.exe, 0000000C.00000002.3055648642.0000000000EFF000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://77.91.77.81/cost/lenin.exeRageMP131.exe, 0000000C.00000002.3056865794.0000000000F59000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                https://db-ip.com:443/demo/home.php?s=8.46.123.338RageMP131.exe, 0000000B.00000002.3055498202.0000000000C5B000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                34.117.186.192
                		ipinfo.ioUnited States
                		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                172.67.75.166
                		db-ip.comUnited States
                		13335CLOUDFLARENETUSfalse
                77.91.77.66
                		unknownRussian Federation
                		42861FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRUtrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1460294
                Start date and time:2024-06-20 18:56:06 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 8m 34s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:14
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:YnsEArPlqx.exe
                renamed because original name is a hash value
                Original Sample Name:ab8e88bff0b907fc49b949d704490018.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@11/5@3/3
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:Failed
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report creation exceeded maximum time and may have missing disassembly code information.
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • VT rate limit hit for: YnsEArPlqx.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                12:58:13API Interceptor56x Sleep call for process: RageMP131.exe modified
                12:58:13API Interceptor87x Sleep call for process: MPGPH131.exe modified
                12:58:13API Interceptor42x Sleep call for process: YnsEArPlqx.exe modified
                17:57:14Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
                17:57:14Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
                17:57:14AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                17:57:22AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                34.117.186.192HP-patchedUS-deobfuscated.exeGet hashmaliciousUnknownBrowse
                • ipinfo.io/
                HP-patchedUS-deobfuscated.exeGet hashmaliciousUnknownBrowse
                • ipinfo.io/
                HP-patchedUS-deobfuscated.exeGet hashmaliciousUnknownBrowse
                • ipinfo.io/
                SecuriteInfo.com.Win32.Evo-gen.24318.16217.exeGet hashmaliciousUnknownBrowse
                • ipinfo.io/json
                SecuriteInfo.com.Win32.Evo-gen.28489.31883.exeGet hashmaliciousUnknownBrowse
                • ipinfo.io/json
                Raptor.HardwareService.Setup 1.msiGet hashmaliciousUnknownBrowse
                • ipinfo.io/ip
                Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                • ipinfo.io/
                Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                • ipinfo.io/
                w.shGet hashmaliciousXmrigBrowse
                • /ip
                Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                • ipinfo.io/ip
                172.67.75.166T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse
                  file.exeGet hashmaliciousRisePro StealerBrowse
                    https://curious-kringle-id4964-024b3b3.netlify.app/form.htmlGet hashmaliciousUnknownBrowse
                      4Ip0IVHqJ3.exeGet hashmaliciousRisePro StealerBrowse
                        https://gacw-no-reply-restriction-appeal-case.netlify.app/feedback_id_38258467296/Get hashmaliciousUnknownBrowse
                          http://rules-prohibiting-violative-advertisi.netlify.app/appeal_case_ID_78234127826/Get hashmaliciousUnknownBrowse
                            SecuriteInfo.com.Win32.Evo-gen.23207.8804.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                              jv9lMYVHh0.exeGet hashmaliciousRisePro StealerBrowse
                                5i5Cl02eCU.exeGet hashmaliciousRisePro StealerBrowse
                                  file.exeGet hashmaliciousRisePro StealerBrowse
                                    77.91.77.66AlCsIOd0pd.exeGet hashmaliciousRisePro StealerBrowse
                                      setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                        D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                          WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                                            2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                                              T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                ipinfo.iosetup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                • 34.117.186.192
                                                D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                                • 34.117.186.192
                                                1kBeqS7E3z.exeGet hashmaliciousLummaC, RisePro Stealer, VidarBrowse
                                                • 34.117.186.192
                                                WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                                                • 34.117.186.192
                                                2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                                                • 34.117.186.192
                                                T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse
                                                • 34.117.186.192
                                                http://telegliam.icu/Get hashmaliciousUnknownBrowse
                                                • 34.117.186.192
                                                https://ingresar-365-msn.glitch.me/Get hashmaliciousUnknownBrowse
                                                • 34.117.186.192
                                                Jr7B1jZMaT.exeGet hashmaliciousNovaSentinelBrowse
                                                • 34.117.186.192
                                                file.exeGet hashmaliciousRisePro StealerBrowse
                                                • 34.117.186.192
                                                db-ip.comsetup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                • 104.26.5.15
                                                D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                                • 104.26.4.15
                                                1kBeqS7E3z.exeGet hashmaliciousLummaC, RisePro Stealer, VidarBrowse
                                                • 104.26.4.15
                                                WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                                                • 104.26.4.15
                                                2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                                                • 104.26.5.15
                                                T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse
                                                • 172.67.75.166
                                                file.exeGet hashmaliciousRisePro StealerBrowse
                                                • 172.67.75.166
                                                https://curious-kringle-id4964-024b3b3.netlify.app/form.htmlGet hashmaliciousUnknownBrowse
                                                • 104.26.5.15
                                                https://glist43-dase23-ac9ae33.netlify.app/dev.html/Get hashmaliciousUnknownBrowse
                                                • 104.26.5.15
                                                4Ip0IVHqJ3.exeGet hashmaliciousRisePro StealerBrowse
                                                • 172.67.75.166

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRUAlCsIOd0pd.exeGet hashmaliciousRisePro StealerBrowse
                                                • 77.91.77.66
                                                setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                • 77.91.77.81
                                                setup.exeGet hashmaliciousPython Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                                                • 77.91.77.81
                                                FN MultiHack v2.exeGet hashmaliciousRedLineBrowse
                                                • 77.91.77.6
                                                D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                                • 77.91.77.66
                                                https://drive.google.com/file/d/1SCCeBL3Md8Sct7wQF5bfbtLysFqXCW6y/view?ts=667387acGet hashmaliciousUnknownBrowse
                                                • 77.91.77.5
                                                https://drive.google.com/file/d/1SCCeBL3Md8Sct7wQF5bfbtLysFqXCW6y/view?ts=667387acGet hashmaliciousUnknownBrowse
                                                • 77.91.77.5
                                                WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                                                • 77.91.77.66
                                                2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                                                • 77.91.77.66
                                                T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse
                                                • 77.91.77.66
                                                GOOGLE-AS-APGoogleAsiaPacificPteLtdSGhttps://www.barstoolsports.com/blog/3517288/i-would-fucking-kill-you-right-now-if-i-could-kelly-and-tate-finally-met-in-chicago-and-boy-oh-boy-was-it-fireworks#story-commentsGet hashmaliciousUnknownBrowse
                                                • 34.117.239.71
                                                https://my.visme.co/v/pvmd79je-dj6mqvGet hashmaliciousUnknownBrowse
                                                • 34.117.77.79
                                                setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                • 34.117.186.192
                                                D44CPdpkNk.exeGet hashmaliciousRisePro StealerBrowse
                                                • 34.117.186.192
                                                1kBeqS7E3z.exeGet hashmaliciousLummaC, RisePro Stealer, VidarBrowse
                                                • 34.117.186.192
                                                WGEfBWbWQI.exeGet hashmaliciousRisePro StealerBrowse
                                                • 34.117.186.192
                                                2bT2lTwRku.exeGet hashmaliciousRisePro StealerBrowse
                                                • 34.117.186.192
                                                T17sbXrL3i.exeGet hashmaliciousRisePro StealerBrowse
                                                • 34.117.186.192
                                                http://h3200457.wixsite.com/my-site-1/Get hashmaliciousUnknownBrowse
                                                • 34.117.60.144
                                                http://telegliam.icu/Get hashmaliciousUnknownBrowse
                                                • 34.117.186.192
                                                CLOUDFLARENETUShttps://www.barstoolsports.com/blog/3517288/i-would-fucking-kill-you-right-now-if-i-could-kelly-and-tate-finally-met-in-chicago-and-boy-oh-boy-was-it-fireworks#story-commentsGet hashmaliciousUnknownBrowse
                                                • 172.64.151.101
                                                FAX_202405_136088.xhtmlGet hashmaliciousUnknownBrowse
                                                • 104.18.11.207
                                                SecuriteInfo.com.Trojan.PackedNET.2926.9666.23696.exeGet hashmaliciousAgentTeslaBrowse
                                                • 172.67.74.152
                                                ATT001_PlayVM.htmlGet hashmaliciousUnknownBrowse
                                                • 172.64.151.101
                                                Products volume.exeGet hashmaliciousFormBookBrowse
                                                • 104.21.84.156
                                                aaaaa.shtml.htmlGet hashmaliciousHTMLPhisherBrowse
                                                • 104.18.11.207
                                                https://airtable.com/appLxB5sOmdo2GJo9/shrh1CoBQsbhadVcVGet hashmaliciousHTMLPhisherBrowse
                                                • 172.64.155.119
                                                OFS Fitel, LLC In-Service Agreement.docGet hashmaliciousUnknownBrowse
                                                • 104.18.2.35
                                                ACH Receipt.htmlGet hashmaliciousHTMLPhisherBrowse
                                                • 188.114.96.3
                                                https://docs.google.com/drawings/d/1qLrBv5e6nFXfFVtMDNkicLQy_velV_hePF-fb4qRTSc/previewGet hashmaliciousUnknownBrowse
                                                • 1.1.1.1

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                a0e9f5d64349fb13191bc781f81f42e1Invoice.docmGet hashmaliciousUnknownBrowse
                                                • 34.117.186.192
                                                • 172.67.75.166
                                                file.exeGet hashmaliciousLummaC, PureLog Stealer, zgRATBrowse
                                                • 34.117.186.192
                                                • 172.67.75.166
                                                Setup.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                                • 34.117.186.192
                                                • 172.67.75.166
                                                setup.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                • 34.117.186.192
                                                • 172.67.75.166
                                                setup.exeGet hashmaliciousLummaCBrowse
                                                • 34.117.186.192
                                                • 172.67.75.166
                                                setup.exeGet hashmaliciousLummaCBrowse
                                                • 34.117.186.192
                                                • 172.67.75.166
                                                Galaxy Swapper v2.0.3.exeGet hashmaliciousLummaC, XmrigBrowse
                                                • 34.117.186.192
                                                • 172.67.75.166
                                                setup.exeGet hashmaliciousLummaCBrowse
                                                • 34.117.186.192
                                                • 172.67.75.166
                                                setup.exeGet hashmaliciousLummaCBrowse
                                                • 34.117.186.192
                                                • 172.67.75.166
                                                file.exeGet hashmaliciousLummaCBrowse
                                                • 34.117.186.192
                                                • 172.67.75.166

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\ProgramData\MPGPH131\MPGPH131.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\YnsEArPlqx.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):3270672
                                                Entropy (8bit):7.967404431164332
                                                Encrypted:false
                                                SSDEEP:98304:e5tF1/fIhf2JK5KtqWaUMrXYQjC4fbEaSNthtA:Ib4haKUt1aUWI4xfbnSHhu
                                                MD5:AB8E88BFF0B907FC49B949D704490018
                                                SHA1:559F2F2B61BD344293F7CBC78B72D8E368910AE3
                                                SHA-256:921C5314FC334BAC928A8398DA1C8341B1021CF92AE83BF8B872D422F2E7EF8F
                                                SHA-512:C2388EDC661CBAAECCF2FF9A2C153B5D201CF7A2C605570EB992AFA3878A0F24C96E1443713E9330833001A4D2BE245E6F49F281C663118ADEB76ECF7D2E41B5
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 55%
                                                Reputation:low
                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....|......X.X...........@...........................~.......2......................................a..........8....................p~..............................p...............................6..@................... ........................... ..` 2~..........................@..@ 0I...P......................@....rsrc...8...........................@..@ X........r..................@..B.idata.......`.......r..............@....tls.........p.......v...................themida..>..........x..............`....boot....p&...X..p&..x..............`..`.reloc.......p~.......1................@................................................................

                                                C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

                                                Download File
                                                Process:C:\Users\user\Desktop\YnsEArPlqx.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Reputation:high, very likely benign file
                                                Preview:[ZoneTransfer]....ZoneId=0

                                                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\YnsEArPlqx.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):3270672
                                                Entropy (8bit):7.967404431164332
                                                Encrypted:false
                                                SSDEEP:98304:e5tF1/fIhf2JK5KtqWaUMrXYQjC4fbEaSNthtA:Ib4haKUt1aUWI4xfbnSHhu
                                                MD5:AB8E88BFF0B907FC49B949D704490018
                                                SHA1:559F2F2B61BD344293F7CBC78B72D8E368910AE3
                                                SHA-256:921C5314FC334BAC928A8398DA1C8341B1021CF92AE83BF8B872D422F2E7EF8F
                                                SHA-512:C2388EDC661CBAAECCF2FF9A2C153B5D201CF7A2C605570EB992AFA3878A0F24C96E1443713E9330833001A4D2BE245E6F49F281C663118ADEB76ECF7D2E41B5
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                • Antivirus: ReversingLabs, Detection: 55%
                                                Reputation:low
                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....|......X.X...........@...........................~.......2......................................a..........8....................p~..............................p...............................6..@................... ........................... ..` 2~..........................@..@ 0I...P......................@....rsrc...8...........................@..@ X........r..................@..B.idata.......`.......r..............@....tls.........p.......v...................themida..>..........x..............`....boot....p&...X..p&..x..............`..`.reloc.......p~.......1................@................................................................

                                                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

                                                Download File
                                                Process:C:\Users\user\Desktop\YnsEArPlqx.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Reputation:high, very likely benign file
                                                Preview:[ZoneTransfer]....ZoneId=0

                                                C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                                                Download File
                                                Process:C:\Users\user\Desktop\YnsEArPlqx.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:modified
                                                Size (bytes):13
                                                Entropy (8bit):2.8731406795131336
                                                Encrypted:false
                                                SSDEEP:3:L1VcuRn:TRRn
                                                MD5:D2322FA1329556D66DDD87C7F6D2456D
                                                SHA1:FEFE77CAE67D8ADEECAC37F97DA6B7BB3CF2CA4F
                                                SHA-256:382F74819EB312810D9DC06212DFCACFE2AB3B3585DB98DFA83BB35EF0396E70
                                                SHA-512:BD20A13F63A556FF645BC9FE1E5CC59E7B160C106207B2999881F8B4D661A597850A2BE1FA24A9E8FB6F6E4DCCB109EDF327A5E313F80054EC296F5715551970
                                                Malicious:false
                                                Reputation:low
                                                Preview:1718909364668

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                Entropy (8bit):7.967404431164332
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:YnsEArPlqx.exe
                                                File size:3'270'672 bytes
                                                MD5:ab8e88bff0b907fc49b949d704490018
                                                SHA1:559f2f2b61bd344293f7cbc78b72d8e368910ae3
                                                SHA256:921c5314fc334bac928a8398da1c8341b1021cf92ae83bf8b872d422f2e7ef8f
                                                SHA512:c2388edc661cbaaeccf2ff9a2c153b5d201cf7a2c605570eb992afa3878a0f24c96e1443713e9330833001a4d2be245e6f49f281c663118adeb76ecf7d2e41b5
                                                SSDEEP:98304:e5tF1/fIhf2JK5KtqWaUMrXYQjC4fbEaSNthtA:Ib4haKUt1aUWI4xfbnSHhu
                                                TLSH:C0E53367CC66D2E5F27D54332B36890CA63A91A26E2355B5782F133068F2C4D87E1DCE
                                                File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

                                                File Icon

                                                Icon Hash:8596a1a0a1a1b171

                                                Static PE Info

                                                General

                                                Entrypoint:0x980058
                                                Entrypoint Section:.boot
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                                Time Stamp:0x664C6914 [Tue May 21 09:27:48 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:6
                                                OS Version Minor:0
                                                File Version Major:6
                                                File Version Minor:0
                                                Subsystem Version Major:6
                                                Subsystem Version Minor:0
                                                Import Hash:63814aaf116ba6abb6496ce4bcad24c6

                                                Entrypoint Preview

                                                Instruction
                                                call 00007FE248B82EC0h
                                                push ebx
                                                mov ebx, esp
                                                push ebx
                                                mov esi, dword ptr [ebx+08h]
                                                mov edi, dword ptr [ebx+10h]
                                                cld
                                                mov dl, 80h
                                                mov al, byte ptr [esi]
                                                inc esi
                                                mov byte ptr [edi], al
                                                inc edi
                                                mov ebx, 00000002h
                                                add dl, dl
                                                jne 00007FE248B82D77h
                                                mov dl, byte ptr [esi]
                                                inc esi
                                                adc dl, dl
                                                jnc 00007FE248B82D5Ch
                                                add dl, dl
                                                jne 00007FE248B82D77h
                                                mov dl, byte ptr [esi]
                                                inc esi
                                                adc dl, dl
                                                jnc 00007FE248B82DC3h
                                                xor eax, eax
                                                add dl, dl
                                                jne 00007FE248B82D77h
                                                mov dl, byte ptr [esi]
                                                inc esi
                                                adc dl, dl
                                                jnc 00007FE248B82E57h
                                                add dl, dl
                                                jne 00007FE248B82D77h
                                                mov dl, byte ptr [esi]
                                                inc esi
                                                adc dl, dl
                                                adc eax, eax
                                                add dl, dl
                                                jne 00007FE248B82D77h
                                                mov dl, byte ptr [esi]
                                                inc esi
                                                adc dl, dl
                                                adc eax, eax
                                                add dl, dl
                                                jne 00007FE248B82D77h
                                                mov dl, byte ptr [esi]
                                                inc esi
                                                adc dl, dl
                                                adc eax, eax
                                                add dl, dl
                                                jne 00007FE248B82D77h
                                                mov dl, byte ptr [esi]
                                                inc esi
                                                adc dl, dl
                                                adc eax, eax
                                                je 00007FE248B82D7Ah
                                                push edi
                                                mov eax, eax
                                                sub edi, eax
                                                mov al, byte ptr [edi]
                                                pop edi
                                                mov byte ptr [edi], al
                                                inc edi
                                                mov ebx, 00000002h
                                                jmp 00007FE248B82D0Bh
                                                mov eax, 00000001h
                                                add dl, dl
                                                jne 00007FE248B82D77h
                                                mov dl, byte ptr [esi]
                                                inc esi
                                                adc dl, dl
                                                adc eax, eax
                                                add dl, dl
                                                jne 00007FE248B82D77h
                                                mov dl, byte ptr [esi]
                                                inc esi
                                                adc dl, dl
                                                jc 00007FE248B82D5Ch
                                                sub eax, ebx
                                                mov ebx, 00000001h
                                                jne 00007FE248B82D9Ah
                                                mov ecx, 00000001h
                                                add dl, dl
                                                jne 00007FE248B82D77h
                                                mov dl, byte ptr [esi]
                                                inc esi
                                                adc dl, dl
                                                adc ecx, ecx
                                                add dl, dl
                                                jne 00007FE248B82D77h
                                                mov dl, byte ptr [esi]
                                                inc esi
                                                adc dl, dl
                                                jc 00007FE248B82D5Ch
                                                push esi
                                                mov esi, edi
                                                sub esi, ebp

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x19618b0x184.idata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x18a0000x1638.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x7e70000x10.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x1970180x18.tls
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x18369c0x40
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                0x10000x15bbc80x9d200261dcbc24cbc9eb16e95b23575219f53False0.9987973597852029data7.981638520890903IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                0x15d0000x27e320x10a009c4edc30bf568b4831d47c2fa8adcadeFalse0.994140625data7.943472834836404IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                0x1850000x49300x800b28ebea9ebe41ba142a74e93b46ebac9False0.98681640625data7.721777854568001IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rsrc0x18a0000x16380x1800fe6f3fdb9e7e97cba92d8ce4e4fcc95bFalse0.7220052083333334data6.54017046361188IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                0x18c0000x98580x720055d409a165ae6286b51388ca331aeab8False0.9794750548245614data7.934264573672369IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                .idata0x1960000x10000x4001b20e07443fa333ff9692026d1e6c6c2False0.3984375data3.42439969016873IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .tls0x1970000x10000x20054a50a058e0f3b6aa2fe1b22e2033106False0.056640625data0.18120187678200297IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .themida0x1980000x3e80000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .boot0x5800000x2670000x2670000a00394383a54186173259ab3252cfacunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .reloc0x7e70000x10000x10f5bc99b71bad9e8a775cc32747e3ca58False1.5GLS_BINARY_LSB_FIRST2.474601752714581IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_ICON0x18a4400x1060PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedRussianRussia0.8838263358778626
                                                RT_GROUP_ICON0x18b4a00x14dataRussianRussia1.05
                                                RT_VERSION0x18a1300x310dataRussianRussia0.45408163265306123
                                                RT_MANIFEST0x18b4b80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                Imports

                                                DLLImport
                                                kernel32.dllGetModuleHandleA
                                                USER32.dllwsprintfA
                                                GDI32.dllCreateCompatibleBitmap
                                                ADVAPI32.dllRegQueryValueExA
                                                SHELL32.dllShellExecuteA
                                                ole32.dllCoInitialize
                                                WS2_32.dllWSAStartup
                                                CRYPT32.dllCryptUnprotectData
                                                SHLWAPI.dllPathFindExtensionA
                                                gdiplus.dllGdipGetImageEncoders
                                                SETUPAPI.dllSetupDiEnumDeviceInfo
                                                ntdll.dllRtlUnicodeStringToAnsiString
                                                RstrtMgr.DLLRmStartSession

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                RussianRussia
                                                EnglishUnited States

                                                Network Behavior

                                                Snort IDS Alerts

                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                06/20/24-18:59:13.624078TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4974158709192.168.2.477.91.77.66
                                                06/20/24-18:58:58.560662TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973258709192.168.2.477.91.77.66
                                                06/20/24-18:58:52.840391TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973158709192.168.2.477.91.77.66
                                                06/20/24-18:57:14.894991TCP2049060ET TROJAN RisePro TCP Heartbeat Packet4973158709192.168.2.477.91.77.66
                                                06/20/24-18:59:07.355875TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973958709192.168.2.477.91.77.66
                                                06/20/24-18:57:18.828226TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094973277.91.77.66192.168.2.4
                                                06/20/24-18:58:03.049093TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094974177.91.77.66192.168.2.4
                                                06/20/24-18:57:35.040865TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094974177.91.77.66192.168.2.4
                                                06/20/24-18:57:15.478080TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094973177.91.77.66192.168.2.4
                                                06/20/24-18:57:18.837910TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094973377.91.77.66192.168.2.4
                                                06/20/24-18:58:58.606045TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973358709192.168.2.477.91.77.66
                                                06/20/24-18:57:40.684951TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094973977.91.77.66192.168.2.4
                                                06/20/24-18:57:26.019896TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)587094973977.91.77.66192.168.2.4
                                                06/20/24-18:57:40.086663TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094973177.91.77.66192.168.2.4
                                                06/20/24-18:57:40.210568TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094973277.91.77.66192.168.2.4
                                                06/20/24-18:57:40.261626TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)587094973377.91.77.66192.168.2.4

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jun 20, 2024 18:57:14.867392063 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:14.872680902 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:14.872773886 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:14.894990921 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:14.900186062 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:15.478080034 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:15.526962996 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:18.209875107 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:18.215310097 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:18.215409994 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:18.219486952 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:18.224916935 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:18.225008965 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:18.238785982 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:18.239044905 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:18.244168043 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:18.244507074 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:18.605303049 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:18.610707045 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:18.828226089 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:18.837909937 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:18.870759964 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:18.886356115 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:21.949140072 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:21.949143887 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:21.954988956 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:21.955049992 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:25.393862963 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:25.398869991 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:25.398960114 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:25.410298109 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:25.415654898 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:26.019896030 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:26.073909998 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:29.136550903 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:29.141423941 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:34.425412893 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:34.430507898 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:34.430629015 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:34.440203905 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:34.445101023 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:35.040864944 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:35.089631081 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:38.168387890 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:38.173934937 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:40.086663008 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:40.136542082 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:40.189471960 CEST49742443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.189557076 CEST4434974234.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:40.189647913 CEST49742443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.190637112 CEST49742443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.190690041 CEST4434974234.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:40.210567951 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:40.261501074 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:40.261626005 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:40.269562006 CEST49743443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.269599915 CEST4434974334.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:40.269674063 CEST49743443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.270838976 CEST49743443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.270886898 CEST4434974334.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:40.290296078 CEST49744443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.290406942 CEST4434974434.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:40.290482998 CEST49744443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.291460991 CEST49744443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.291516066 CEST4434974434.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:40.308362961 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:40.684951067 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:40.706904888 CEST4434974234.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:40.707005024 CEST49742443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.711128950 CEST49742443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.711186886 CEST4434974234.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:40.711622000 CEST4434974234.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:40.727715969 CEST49745443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.727813005 CEST4434974534.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:40.727895975 CEST49745443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.728888035 CEST49745443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.728923082 CEST4434974534.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:40.730259895 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:40.755664110 CEST49742443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.790704012 CEST4434974434.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:40.790915966 CEST49744443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.791215897 CEST4434974334.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:40.791320086 CEST49743443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.792150021 CEST49744443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.792197943 CEST4434974434.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:40.792450905 CEST49743443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.792462111 CEST4434974334.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:40.792578936 CEST4434974434.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:40.792800903 CEST4434974334.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:40.796545982 CEST4434974234.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:40.839626074 CEST49744443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.842360973 CEST49743443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.860759020 CEST49744443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.869853973 CEST49743443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.883080959 CEST4434974234.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:40.883428097 CEST4434974234.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:40.883512020 CEST49742443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.886112928 CEST49742443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.886162043 CEST4434974234.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:40.886192083 CEST49742443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:40.886209965 CEST4434974234.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:40.896604061 CEST49746443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:40.896667957 CEST44349746172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:40.896748066 CEST49746443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:40.897015095 CEST49746443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:40.897043943 CEST44349746172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:40.904494047 CEST4434974434.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:40.912532091 CEST4434974334.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:41.000684023 CEST4434974434.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:41.000818014 CEST4434974434.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:41.001025915 CEST49744443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:41.001121044 CEST49744443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:41.001121044 CEST49744443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:41.001166105 CEST4434974434.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:41.001205921 CEST4434974434.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:41.002507925 CEST49747443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.002594948 CEST44349747172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.002676010 CEST49747443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.003042936 CEST49747443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.003132105 CEST44349747172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.009438038 CEST4434974334.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:41.009916067 CEST4434974334.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:41.009967089 CEST49743443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:41.010067940 CEST49743443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:41.010082960 CEST4434974334.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:41.010093927 CEST49743443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:41.010099888 CEST4434974334.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:41.011152983 CEST49748443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.011173010 CEST44349748172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.011234999 CEST49748443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.011461020 CEST49748443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.011472940 CEST44349748172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.334681034 CEST4434974534.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:41.334783077 CEST49745443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:41.335994005 CEST49745443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:41.336009979 CEST4434974534.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:41.336256027 CEST4434974534.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:41.384072065 CEST49745443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:41.424527884 CEST4434974534.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:41.508068085 CEST4434974534.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:41.508239985 CEST4434974534.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:41.508344889 CEST49745443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:41.508753061 CEST49745443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:41.508790016 CEST4434974534.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:41.508824110 CEST49745443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:57:41.508838892 CEST4434974534.117.186.192192.168.2.4
                                                Jun 20, 2024 18:57:41.510406971 CEST49749443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.510494947 CEST44349749172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.510646105 CEST49749443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.510972023 CEST49749443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.511009932 CEST44349749172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.516624928 CEST44349747172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.516690969 CEST49747443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.518430948 CEST49747443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.518444061 CEST44349747172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.518704891 CEST44349747172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.520112991 CEST49747443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.525110006 CEST44349746172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.525235891 CEST49746443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.526875973 CEST49746443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.526887894 CEST44349746172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.527396917 CEST44349746172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.528537035 CEST49746443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.533680916 CEST44349748172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.533914089 CEST49748443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.534756899 CEST49748443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.534763098 CEST44349748172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.535790920 CEST44349748172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.536973000 CEST49748443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.560578108 CEST44349747172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.572501898 CEST44349746172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.580496073 CEST44349748172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.670669079 CEST44349747172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.670747042 CEST44349747172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.670828104 CEST49747443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.671272993 CEST49747443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.671322107 CEST44349747172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.671353102 CEST49747443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.671370029 CEST44349747172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.671797037 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:41.677098989 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:41.707526922 CEST44349746172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.707797050 CEST44349746172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.707895994 CEST49746443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.708054066 CEST49746443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.708096981 CEST44349746172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.708134890 CEST49746443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.708153009 CEST44349746172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.708522081 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:41.709861994 CEST44349748172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.710084915 CEST44349748172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.710143089 CEST49748443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.710211039 CEST49748443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.710232019 CEST44349748172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.710256100 CEST49748443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.710268021 CEST44349748172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.711057901 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:41.713349104 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:41.716022968 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:41.985795021 CEST44349749172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.985903025 CEST49749443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.987131119 CEST49749443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:41.987164021 CEST44349749172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.987513065 CEST44349749172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:41.991270065 CEST49749443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:42.036530018 CEST44349749172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:42.152816057 CEST44349749172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:42.153099060 CEST44349749172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:42.153202057 CEST49749443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:42.153469086 CEST49749443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:42.153507948 CEST44349749172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:42.153534889 CEST49749443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:57:42.153549910 CEST44349749172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:57:42.153923035 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:42.159673929 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:49.464940071 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:49.470344067 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:52.715127945 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:52.720165014 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:52.808721066 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:52.814178944 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:57:59.480479002 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:57:59.485503912 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:02.366193056 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:02.417916059 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:02.451795101 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:02.465960026 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:02.496141911 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:02.511650085 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:02.721391916 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:02.761667967 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:03.049093008 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:03.105618000 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:03.190819979 CEST49751443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:58:03.190865040 CEST4434975134.117.186.192192.168.2.4
                                                Jun 20, 2024 18:58:03.190953970 CEST49751443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:58:03.191906929 CEST49751443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:58:03.191932917 CEST4434975134.117.186.192192.168.2.4
                                                Jun 20, 2024 18:58:03.659512997 CEST4434975134.117.186.192192.168.2.4
                                                Jun 20, 2024 18:58:03.659627914 CEST49751443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:58:03.660859108 CEST49751443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:58:03.660887957 CEST4434975134.117.186.192192.168.2.4
                                                Jun 20, 2024 18:58:03.661843061 CEST4434975134.117.186.192192.168.2.4
                                                Jun 20, 2024 18:58:03.701503992 CEST49751443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:58:03.748549938 CEST4434975134.117.186.192192.168.2.4
                                                Jun 20, 2024 18:58:03.828887939 CEST4434975134.117.186.192192.168.2.4
                                                Jun 20, 2024 18:58:03.829221010 CEST4434975134.117.186.192192.168.2.4
                                                Jun 20, 2024 18:58:03.829324007 CEST49751443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:58:03.829612017 CEST49751443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:58:03.829665899 CEST4434975134.117.186.192192.168.2.4
                                                Jun 20, 2024 18:58:03.829696894 CEST49751443192.168.2.434.117.186.192
                                                Jun 20, 2024 18:58:03.829714060 CEST4434975134.117.186.192192.168.2.4
                                                Jun 20, 2024 18:58:03.832252026 CEST49752443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:58:03.832298994 CEST44349752172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:58:03.832386017 CEST49752443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:58:03.832801104 CEST49752443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:58:03.832832098 CEST44349752172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:58:04.384896994 CEST44349752172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:58:04.385020018 CEST49752443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:58:04.386295080 CEST49752443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:58:04.386311054 CEST44349752172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:58:04.387135983 CEST44349752172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:58:04.388725996 CEST49752443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:58:04.436502934 CEST44349752172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:58:04.556865931 CEST44349752172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:58:04.557096958 CEST44349752172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:58:04.557162046 CEST49752443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:58:04.557215929 CEST49752443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:58:04.557245016 CEST44349752172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:58:04.557271004 CEST49752443192.168.2.4172.67.75.166
                                                Jun 20, 2024 18:58:04.557285070 CEST44349752172.67.75.166192.168.2.4
                                                Jun 20, 2024 18:58:04.557780981 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:04.562638998 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:09.293189049 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:09.298407078 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:18.632580042 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:18.683968067 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:18.699707985 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:18.704699993 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:18.746516943 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:18.793112040 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:18.808842897 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:18.813803911 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:18.814426899 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:18.840141058 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:18.845093012 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:19.420250893 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:19.449507952 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:19.454644918 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:19.634773016 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:19.683732986 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:21.761961937 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:21.769064903 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:25.012032032 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:25.017864943 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:25.058866024 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:25.064270020 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:31.965137959 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:31.970119953 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:35.120271921 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:35.168335915 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:36.594540119 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:36.608009100 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:36.637063026 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:36.652693033 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:38.152647018 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:38.202181101 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:38.512538910 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:38.543402910 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:38.548664093 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:41.654438019 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:41.659532070 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:46.579662085 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:46.615417004 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:46.621339083 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:46.625395060 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:46.668185949 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:46.668193102 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:46.684319973 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:46.684467077 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:46.684617996 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:46.689163923 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:46.689290047 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:46.689438105 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:46.800071955 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:46.855700016 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:46.856758118 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:46.862021923 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:48.391851902 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:48.433866978 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:52.840390921 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:52.847284079 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:55.355422974 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:55.402640104 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:55.439012051 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:55.464445114 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:55.480784893 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:55.513658047 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:55.705344915 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:55.748805046 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:55.837332010 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:55.887082100 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:55.934210062 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:55.939651012 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:58.560662031 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:58.566133976 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:58:58.606045008 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:58:58.611638069 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.855362892 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.855537891 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.855609894 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.855878115 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.855892897 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.855909109 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.855936050 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.855950117 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.855951071 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.855989933 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.856003046 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.856019020 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.856050968 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.856446981 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.856463909 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.856478930 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.856616974 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.856981993 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.856995106 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.857064009 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.857400894 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.857465982 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.857481003 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.857518911 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.890222073 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.890256882 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.890310049 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.890326977 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.890341997 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.890355110 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.890439987 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.890707970 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.890753031 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.891439915 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.891453981 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.891468048 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.891484022 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.891495943 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.891498089 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.891515017 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.891529083 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.891557932 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.891727924 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.891753912 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.891768932 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.891793966 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.902725935 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.902962923 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.903286934 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.903357983 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.903570890 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.903584957 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.903636932 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.903678894 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.903692961 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.903740883 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.904050112 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.904494047 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.904544115 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.904566050 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.904578924 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.904620886 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.904733896 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.904901028 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.904913902 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.904938936 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.904952049 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.904953957 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.904972076 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.904997110 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.905028105 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.905575037 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.908236980 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.908297062 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.933921099 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.982393026 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.982443094 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.982479095 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.982513905 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:03.982515097 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:03.982577085 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.012788057 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.012854099 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.012885094 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.012924910 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.012958050 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.012991905 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.013025999 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.013029099 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.013098001 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.021223068 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.021384001 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.021418095 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.021451950 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.021461010 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.021488905 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.021500111 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.027765989 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.027870893 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.032684088 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.032716990 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.070729017 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.070976973 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.071012974 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.071059942 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.071085930 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.071141005 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.071779966 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.071832895 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.071888924 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.073100090 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.073129892 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.073189020 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.073784113 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.073813915 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.073868990 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.073923111 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.073993921 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.074023962 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.074044943 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.074179888 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.074297905 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.074331045 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.074354887 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.074811935 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.074863911 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.075196981 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.076070070 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.076132059 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.076296091 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.121471882 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.121541977 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.137613058 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.142573118 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.157079935 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.187741995 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.188908100 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.188963890 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.188966036 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.189017057 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.189065933 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.189066887 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.189116001 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:04.189173937 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.199547052 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.247224092 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:04.252103090 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:07.355875015 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:07.362529039 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.077682018 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.108182907 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.121596098 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:10.138931036 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.152730942 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:10.184130907 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:10.267925024 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.277990103 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:10.282882929 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.357955933 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.358006954 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.358066082 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:10.358159065 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.358189106 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.358246088 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:10.358541012 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.358577013 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.358612061 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.358663082 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:10.358700037 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.358757973 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:10.358772039 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.359008074 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.359038115 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.359069109 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:10.359175920 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.359204054 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.359231949 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:10.359621048 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.359648943 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.359690905 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:10.359745026 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.359778881 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.359802008 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:10.364290953 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.364351988 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:10.482995987 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.483170033 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.483205080 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.483239889 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.483252048 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:10.483297110 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:10.488450050 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.488501072 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:10.488565922 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:10.496721029 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:10.501696110 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:13.624078035 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:13.629488945 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:15.470177889 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:15.528093100 CEST4973158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:15.533096075 CEST587094973177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:15.538882017 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:15.554799080 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:15.590244055 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:15.605875969 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:15.637245893 CEST4973358709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:15.637370110 CEST4973258709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:15.642118931 CEST587094973377.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:15.642208099 CEST587094973277.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:15.685239077 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:15.730901003 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:15.943691015 CEST587094974177.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:15.943802118 CEST587094973977.91.77.66192.168.2.4
                                                Jun 20, 2024 18:59:15.943872929 CEST4973958709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:15.965406895 CEST4974158709192.168.2.477.91.77.66
                                                Jun 20, 2024 18:59:15.970355988 CEST587094974177.91.77.66192.168.2.4

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jun 20, 2024 18:57:40.177056074 CEST6222653192.168.2.41.1.1.1
                                                Jun 20, 2024 18:57:40.185633898 CEST53622261.1.1.1192.168.2.4
                                                Jun 20, 2024 18:57:40.888211966 CEST5989253192.168.2.41.1.1.1
                                                Jun 20, 2024 18:57:40.896069050 CEST53598921.1.1.1192.168.2.4
                                                Jun 20, 2024 18:58:03.178292036 CEST5446553192.168.2.41.1.1.1
                                                Jun 20, 2024 18:58:03.186853886 CEST53544651.1.1.1192.168.2.4

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Jun 20, 2024 18:57:40.177056074 CEST192.168.2.41.1.1.10x3b85Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                                Jun 20, 2024 18:57:40.888211966 CEST192.168.2.41.1.1.10x2b33Standard query (0)db-ip.comA (IP address)IN (0x0001)false
                                                Jun 20, 2024 18:58:03.178292036 CEST192.168.2.41.1.1.10x3f5bStandard query (0)ipinfo.ioA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Jun 20, 2024 18:57:40.185633898 CEST1.1.1.1192.168.2.40x3b85No error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false
                                                Jun 20, 2024 18:57:40.896069050 CEST1.1.1.1192.168.2.40x2b33No error (0)db-ip.com172.67.75.166A (IP address)IN (0x0001)false
                                                Jun 20, 2024 18:57:40.896069050 CEST1.1.1.1192.168.2.40x2b33No error (0)db-ip.com104.26.5.15A (IP address)IN (0x0001)false
                                                Jun 20, 2024 18:57:40.896069050 CEST1.1.1.1192.168.2.40x2b33No error (0)db-ip.com104.26.4.15A (IP address)IN (0x0001)false
                                                Jun 20, 2024 18:58:03.186853886 CEST1.1.1.1192.168.2.40x3f5bNo error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • ipinfo.io
                                                • https:
                                                • db-ip.com

                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination Port
                                                0192.168.2.44973034.117.186.192443
                                                TimestampBytes transferredDirectionData
                                                2024-06-20 16:56:58 UTC59OUTGET / HTTP/1.1
                                                Host: ipinfo.io
                                                Connection: Keep-Alive
                                                2024-06-20 16:56:58 UTC513INHTTP/1.1 200 OK
                                                server: nginx/1.24.0
                                                date: Thu, 20 Jun 2024 16:56:58 GMT
                                                content-type: application/json; charset=utf-8
                                                Content-Length: 319
                                                access-control-allow-origin: *
                                                x-frame-options: SAMEORIGIN
                                                x-xss-protection: 1; mode=block
                                                x-content-type-options: nosniff
                                                referrer-policy: strict-origin-when-cross-origin
                                                x-envoy-upstream-service-time: 1
                                                via: 1.1 google
                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                Connection: close
                                                2024-06-20 16:56:58 UTC319INData Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22
                                                Data Ascii: { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone": "


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.44974234.117.186.1924437408C:\Users\user\Desktop\YnsEArPlqx.exe
                                                TimestampBytes transferredDirectionData
                                                2024-06-20 16:57:40 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                                Connection: Keep-Alive
                                                Referer: https://ipinfo.io/
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                Host: ipinfo.io
                                                2024-06-20 16:57:40 UTC514INHTTP/1.1 200 OK
                                                server: nginx/1.24.0
                                                date: Thu, 20 Jun 2024 16:57:40 GMT
                                                content-type: application/json; charset=utf-8
                                                Content-Length: 1025
                                                access-control-allow-origin: *
                                                x-frame-options: SAMEORIGIN
                                                x-xss-protection: 1; mode=block
                                                x-content-type-options: nosniff
                                                referrer-policy: strict-origin-when-cross-origin
                                                x-envoy-upstream-service-time: 2
                                                via: 1.1 google
                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                Connection: close
                                                2024-06-20 16:57:40 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                                Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                                2024-06-20 16:57:40 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                2192.168.2.44974434.117.186.1924437632C:\ProgramData\MPGPH131\MPGPH131.exe
                                                TimestampBytes transferredDirectionData
                                                2024-06-20 16:57:40 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                                Connection: Keep-Alive
                                                Referer: https://ipinfo.io/
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                Host: ipinfo.io
                                                2024-06-20 16:57:40 UTC514INHTTP/1.1 200 OK
                                                server: nginx/1.24.0
                                                date: Thu, 20 Jun 2024 16:57:40 GMT
                                                content-type: application/json; charset=utf-8
                                                Content-Length: 1025
                                                access-control-allow-origin: *
                                                x-frame-options: SAMEORIGIN
                                                x-xss-protection: 1; mode=block
                                                x-content-type-options: nosniff
                                                referrer-policy: strict-origin-when-cross-origin
                                                x-envoy-upstream-service-time: 3
                                                via: 1.1 google
                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                Connection: close
                                                2024-06-20 16:57:40 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                                Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                                2024-06-20 16:57:40 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                3192.168.2.44974334.117.186.1924437640C:\ProgramData\MPGPH131\MPGPH131.exe
                                                TimestampBytes transferredDirectionData
                                                2024-06-20 16:57:40 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                                Connection: Keep-Alive
                                                Referer: https://ipinfo.io/
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                Host: ipinfo.io
                                                2024-06-20 16:57:41 UTC514INHTTP/1.1 200 OK
                                                server: nginx/1.24.0
                                                date: Thu, 20 Jun 2024 16:57:40 GMT
                                                content-type: application/json; charset=utf-8
                                                Content-Length: 1025
                                                access-control-allow-origin: *
                                                x-frame-options: SAMEORIGIN
                                                x-xss-protection: 1; mode=block
                                                x-content-type-options: nosniff
                                                referrer-policy: strict-origin-when-cross-origin
                                                x-envoy-upstream-service-time: 3
                                                via: 1.1 google
                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                Connection: close
                                                2024-06-20 16:57:41 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                                Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                                2024-06-20 16:57:41 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                4192.168.2.44974534.117.186.1924437852C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                TimestampBytes transferredDirectionData
                                                2024-06-20 16:57:41 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                                Connection: Keep-Alive
                                                Referer: https://ipinfo.io/
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                Host: ipinfo.io
                                                2024-06-20 16:57:41 UTC514INHTTP/1.1 200 OK
                                                server: nginx/1.24.0
                                                date: Thu, 20 Jun 2024 16:57:41 GMT
                                                content-type: application/json; charset=utf-8
                                                Content-Length: 1025
                                                access-control-allow-origin: *
                                                x-frame-options: SAMEORIGIN
                                                x-xss-protection: 1; mode=block
                                                x-content-type-options: nosniff
                                                referrer-policy: strict-origin-when-cross-origin
                                                x-envoy-upstream-service-time: 1
                                                via: 1.1 google
                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                Connection: close
                                                2024-06-20 16:57:41 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                                Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                                2024-06-20 16:57:41 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                5192.168.2.449747172.67.75.1664437632C:\ProgramData\MPGPH131\MPGPH131.exe
                                                TimestampBytes transferredDirectionData
                                                2024-06-20 16:57:41 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                                Connection: Keep-Alive
                                                Content-Type: application/x-www-form-urlencoded
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                Host: db-ip.com
                                                2024-06-20 16:57:41 UTC655INHTTP/1.1 200 OK
                                                Date: Thu, 20 Jun 2024 16:57:41 GMT
                                                Content-Type: application/json
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                x-iplb-request-id: A29E9FE1:D714_93878F2E:0050_66745F85_14B39213:7B63
                                                x-iplb-instance: 59128
                                                CF-Cache-Status: DYNAMIC
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HcbdHTtm2uVTP4Mc5vf6eNWdfb6Ft2A3SgY6kjX50L8q8LFjzI6%2B%2BoW3fetUlMEbQmDtEuqgEsFLQr9i10OXEsHNuErlCYvvQWSB%2FxOrhnkPQsHQPtbUJd8nLw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 896d4ca2e9d941f9-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                2024-06-20 16:57:41 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                2024-06-20 16:57:41 UTC5INData Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                6192.168.2.449746172.67.75.1664437408C:\Users\user\Desktop\YnsEArPlqx.exe
                                                TimestampBytes transferredDirectionData
                                                2024-06-20 16:57:41 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                                Connection: Keep-Alive
                                                Content-Type: application/x-www-form-urlencoded
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                Host: db-ip.com
                                                2024-06-20 16:57:41 UTC667INHTTP/1.1 200 OK
                                                Date: Thu, 20 Jun 2024 16:57:41 GMT
                                                Content-Type: application/json
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                x-iplb-request-id: AC466E06:B3FC_93878F2E:0050_66745F85_14B39214:7B63
                                                x-iplb-instance: 59128
                                                CF-Cache-Status: DYNAMIC
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2Bc0yxZJ1%2Fnb7ma9BR3PjeKUhvXaJcckcQh93aipnmSMWbqYrCU7NGVsyuegQD%2BLcIHBcW7jUZaItcvAlff7g1xZd%2F3x%2B7%2FpVb81JGTuOaOS2%2FL%2BcEkvUM8T%2B7Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 896d4ca30e1b17a5-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                2024-06-20 16:57:41 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                2024-06-20 16:57:41 UTC5INData Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                7192.168.2.449748172.67.75.1664437640C:\ProgramData\MPGPH131\MPGPH131.exe
                                                TimestampBytes transferredDirectionData
                                                2024-06-20 16:57:41 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                                Connection: Keep-Alive
                                                Content-Type: application/x-www-form-urlencoded
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                Host: db-ip.com
                                                2024-06-20 16:57:41 UTC653INHTTP/1.1 200 OK
                                                Date: Thu, 20 Jun 2024 16:57:41 GMT
                                                Content-Type: application/json
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                x-iplb-request-id: AC466ED9:BFFA_93878F2E:0050_66745F85_14C7BFE1:4F34
                                                x-iplb-instance: 59215
                                                CF-Cache-Status: DYNAMIC
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8YoK0LJLyX0LAZq5adY8GhpzxjxdbYxGx1S8ymxVoqA6GU%2BhTn3wcGwGmE9tzJtzlqpobHWts%2BcIf1YkJDGeEn6yWBKW99R1sG81Qu2BLWHjKObhviKunZofEA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 896d4ca31c6a80d0-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                2024-06-20 16:57:41 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                2024-06-20 16:57:41 UTC5INData Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                8192.168.2.449749172.67.75.1664437852C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                TimestampBytes transferredDirectionData
                                                2024-06-20 16:57:41 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                                Connection: Keep-Alive
                                                Content-Type: application/x-www-form-urlencoded
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                Host: db-ip.com
                                                2024-06-20 16:57:42 UTC659INHTTP/1.1 200 OK
                                                Date: Thu, 20 Jun 2024 16:57:42 GMT
                                                Content-Type: application/json
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                x-iplb-request-id: AC46E715:6DD8_93878F2E:0050_66745F86_14B3922A:7B63
                                                x-iplb-instance: 59128
                                                CF-Cache-Status: DYNAMIC
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vpwLOtZz2G5NUXqOespxGiz%2FBKgieP70dT%2Bw1AJLekUyzAuB0o9Yvr898O60kyoaO7M15Il%2BxNi7%2BnNSXmlkJ794u9s1krwG%2F3QT6RWpGBJyJMGwBe9WZtae8A%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 896d4ca5dc397295-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                2024-06-20 16:57:42 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                2024-06-20 16:57:42 UTC5INData Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                9192.168.2.44975134.117.186.1924438008C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                TimestampBytes transferredDirectionData
                                                2024-06-20 16:58:03 UTC236OUTGET /widget/demo/8.46.123.33 HTTP/1.1
                                                Connection: Keep-Alive
                                                Referer: https://ipinfo.io/
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                Host: ipinfo.io
                                                2024-06-20 16:58:03 UTC514INHTTP/1.1 200 OK
                                                server: nginx/1.24.0
                                                date: Thu, 20 Jun 2024 16:58:03 GMT
                                                content-type: application/json; charset=utf-8
                                                Content-Length: 1025
                                                access-control-allow-origin: *
                                                x-frame-options: SAMEORIGIN
                                                x-xss-protection: 1; mode=block
                                                x-content-type-options: nosniff
                                                referrer-policy: strict-origin-when-cross-origin
                                                x-envoy-upstream-service-time: 2
                                                via: 1.1 google
                                                strict-transport-security: max-age=2592000; includeSubDomains
                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                Connection: close
                                                2024-06-20 16:58:03 UTC876INData Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20
                                                Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
                                                2024-06-20 16:58:03 UTC149INData Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d
                                                Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                10192.168.2.449752172.67.75.1664438008C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                TimestampBytes transferredDirectionData
                                                2024-06-20 16:58:04 UTC260OUTGET /demo/home.php?s=8.46.123.33 HTTP/1.1
                                                Connection: Keep-Alive
                                                Content-Type: application/x-www-form-urlencoded
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
                                                Host: db-ip.com
                                                2024-06-20 16:58:04 UTC657INHTTP/1.1 200 OK
                                                Date: Thu, 20 Jun 2024 16:58:04 GMT
                                                Content-Type: application/json
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                x-iplb-request-id: A29E9BB3:866C_93878F2E:0050_66745F9C_14B39570:7B63
                                                x-iplb-instance: 59128
                                                CF-Cache-Status: DYNAMIC
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KGJ5SYB7Y4e4XV8agE04lOslY6J3qfrwxLZu1IBBBct7GIlm5qcbzEv7gbhOBZ%2BPKJiR%2BeI8oMJKFsBnGMTKn9tQrmkXYHuk3IHdARmQfKCIbhRg7T%2F%2F70f1Dw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 896d4d31eda743bf-EWR
                                                alt-svc: h3=":443"; ma=86400
                                                2024-06-20 16:58:04 UTC85INData Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a
                                                Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
                                                2024-06-20 16:58:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:12:57:10
                                                Start date:20/06/2024
                                                Path:C:\Users\user\Desktop\YnsEArPlqx.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\YnsEArPlqx.exe"
                                                Imagebase:0x400000
                                                File size:3'270'672 bytes
                                                MD5 hash:AB8E88BFF0B907FC49B949D704490018
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:2
                                                Start time:12:57:13
                                                Start date:20/06/2024
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                                Imagebase:0x1c0000
                                                File size:187'904 bytes
                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:3
                                                Start time:12:57:13
                                                Start date:20/06/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:4
                                                Start time:12:57:13
                                                Start date:20/06/2024
                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                Wow64 process (32bit):true
                                                Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                                Imagebase:0x1c0000
                                                File size:187'904 bytes
                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:12:57:13
                                                Start date:20/06/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7699e0000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:12:57:14
                                                Start date:20/06/2024
                                                Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                Imagebase:0x400000
                                                File size:3'270'672 bytes
                                                MD5 hash:AB8E88BFF0B907FC49B949D704490018
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Antivirus matches:
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 55%, ReversingLabs
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:7
                                                Start time:12:57:14
                                                Start date:20/06/2024
                                                Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                Imagebase:0x400000
                                                File size:3'270'672 bytes
                                                MD5 hash:AB8E88BFF0B907FC49B949D704490018
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:11
                                                Start time:12:57:22
                                                Start date:20/06/2024
                                                Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                                Imagebase:0x400000
                                                File size:3'270'672 bytes
                                                MD5 hash:AB8E88BFF0B907FC49B949D704490018
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Antivirus matches:
                                                • Detection: 100%, Joe Sandbox ML
                                                • Detection: 55%, ReversingLabs
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:12
                                                Start time:12:57:30
                                                Start date:20/06/2024
                                                Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                                Imagebase:0x400000
                                                File size:3'270'672 bytes
                                                MD5 hash:AB8E88BFF0B907FC49B949D704490018
                                                Has elevated privileges:false
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:false

                                                Disassembly

                                                Reset < >