Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PNO3otPYOa.exe

Overview

General Information

Sample name:PNO3otPYOa.exe
renamed because original name is a hash value
Original sample name:ffccf1df9e560e259284b35348a3989f.exe
Analysis ID:1460309
MD5:ffccf1df9e560e259284b35348a3989f
SHA1:853ad3befc8423ebd10442fc1fd3d436b3656afa
SHA256:e2de3f42bd8737b0b825370aa662cf700b88a05832e4c26a3c7d8a3579b03227
Tags:exeRiseProStealer
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • PNO3otPYOa.exe (PID: 3168 cmdline: "C:\Users\user\Desktop\PNO3otPYOa.exe" MD5: FFCCF1DF9E560E259284B35348A3989F)
    • schtasks.exe (PID: 6520 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5836 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 5636 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1972 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 2668 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: FFCCF1DF9E560E259284B35348A3989F)
    • WerFault.exe (PID: 5136 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1916 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 2272 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: FFCCF1DF9E560E259284B35348A3989F)
    • WerFault.exe (PID: 1988 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 1736 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • RageMP131.exe (PID: 4956 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: FFCCF1DF9E560E259284B35348A3989F)
  • RageMP131.exe (PID: 4440 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: FFCCF1DF9E560E259284B35348A3989F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\J7z8s88sXcCE6j1G9cCUUTi.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    C:\Users\user\AppData\Local\Temp\r_sRxMygZ5JYHZAcFpnL_Yd.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000006.00000002.2840550495.00000000057C0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
        00000007.00000002.2823886060.00000000057C0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
          00000000.00000002.2855619080.00000000057C6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
            00000000.00000003.2619633459.00000000057C6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
              00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                Click to see the 8 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PNO3otPYOa.exe, ProcessId: 3168, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

                Snort Signatures

                Timestamp:06/20/24-19:37:42.593714
                SID:2046269
                Source Port:49707
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:22.677810
                SID:2046266
                Source Port:58709
                Destination Port:49717
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:42.406359
                SID:2046269
                Source Port:49706
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:38:03.935564
                SID:2046267
                Source Port:58709
                Destination Port:49717
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:57.156294
                SID:2046269
                Source Port:49717
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:15.832806
                SID:2046266
                Source Port:58709
                Destination Port:49710
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:50.390622
                SID:2046269
                Source Port:49710
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:01.301696
                SID:2049060
                Source Port:49705
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:47.877509
                SID:2046267
                Source Port:58709
                Destination Port:49706
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:36.375060
                SID:2046269
                Source Port:49705
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:47.713249
                SID:2046267
                Source Port:58709
                Destination Port:49705
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:47.917742
                SID:2046267
                Source Port:58709
                Destination Port:49707
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:01.927137
                SID:2046266
                Source Port:58709
                Destination Port:49705
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:07.981504
                SID:2046266
                Source Port:58709
                Destination Port:49706
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:06/20/24-19:37:08.081416
                SID:2046266
                Source Port:58709
                Destination Port:49707
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://77.91.77.81/mine/amadka.exeAvira URL Cloud: Label: phishing
                Source: http://77.91.77.81/cost/go.exeAvira URL Cloud: Label: phishing
                Source: http://77.91.77.81/cost/go.exenAvira URL Cloud: Label: phishing
                Source: http://77.91.77.81/cost/lenin.exe/riseproAvira URL Cloud: Label: malware
                Source: http://77.91.77.81/mine/amadka.exehAvira URL Cloud: Label: phishing
                Source: http://77.91.77.81/cost/lenin.exe00.1Avira URL Cloud: Label: phishing
                Source: http://77.91.77.81/cost/lenin.exerracoi$Avira URL Cloud: Label: phishing
                Source: http://77.91.77.81/cost/lenin.exeAvira URL Cloud: Label: malware
                Multi AV Scanner detection for dropped file
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeReversingLabs: Detection: 57%
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeReversingLabs: Detection: 57%
                Multi AV Scanner detection for submitted file
                Source: PNO3otPYOa.exeReversingLabs: Detection: 54%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJoe Sandbox ML: detected
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: PNO3otPYOa.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004C6B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,0_2_004C6B00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004C6B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,6_2_004C6B00
                Source: PNO3otPYOa.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49718 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49719 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49720 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49721 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49722 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49723 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49728 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49729 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49731 version: TLS 1.2
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004C6000
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_004E6770
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,0_2_00493F40
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,0_2_00431F9C
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_00432022
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004938D0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,6_2_004C6000
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,6_2_004E6770
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,6_2_00493F40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,6_2_004DFF00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00431F9C FindClose,FindFirstFileExW,GetLastError,6_2_00431F9C
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,6_2_00432022
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,6_2_004938D0

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49705 -> 77.91.77.66:58709
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.5:49705
                Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49705 -> 77.91.77.66:58709
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.5:49706
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.5:49707
                Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49706 -> 77.91.77.66:58709
                Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49707 -> 77.91.77.66:58709
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.5:49710
                Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49710 -> 77.91.77.66:58709
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.5:49717
                Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49717 -> 77.91.77.66:58709
                Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.5:49705
                Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.5:49706
                Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.5:49707
                Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.5:49717
                Connects to many ports of the same IP (likely port scanning)
                Source: global trafficTCP traffic: 77.91.77.66 ports 0,5,7,8,58709,9
                Source: global trafficTCP traffic: 192.168.2.5:49705 -> 77.91.77.66:58709
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                Source: Joe Sandbox ViewIP Address: 104.26.4.15 104.26.4.15
                Source: Joe Sandbox ViewIP Address: 77.91.77.66 77.91.77.66
                Source: Joe Sandbox ViewASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: unknownDNS query: name: ipinfo.io
                Source: unknownDNS query: name: ipinfo.io
                Source: unknownDNS query: name: ipinfo.io
                Source: unknownDNS query: name: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004C8590 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,FreeAddrInfoW,WSACleanup,FreeAddrInfoW,0_2_004C8590
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficDNS traffic detected: DNS query: ipinfo.io
                Source: global trafficDNS traffic detected: DNS query: db-ip.com
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/go.exe
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/go.exen
                Source: PNO3otPYOa.exe, 00000000.00000003.2619633459.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exe
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exe/risepro
                Source: MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exe00.1
                Source: PNO3otPYOa.exe, 00000000.00000003.2619633459.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exerracoi$
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exe
                Source: PNO3otPYOa.exe, 00000000.00000003.2619633459.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exeh
                Source: Amcache.hve.16.drString found in binary or memory: http://upx.sf.net
                Source: PNO3otPYOa.exe, 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmp, PNO3otPYOa.exe, 00000000.00000003.2023432722.0000000000DF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2835935957.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2083193308.0000000000D30000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2821306165.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2084187915.00000000028C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2749828404.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2165267286.0000000002890000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2245506050.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2750366653.000000000055D000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
                Source: PNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: PNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: PNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: PNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2751365986.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/
                Source: RageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/PS
                Source: MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/Z
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33
                Source: MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33?2
                Source: RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33s
                Source: RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/~
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/~OM
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33
                Source: MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.3352
                Source: PNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: PNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: PNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: RageMP131.exe, 00000008.00000002.2751365986.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2752487929.0000000000FAB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2752487929.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2752487929.0000000000F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F16000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2752487929.0000000000FAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
                Source: RageMP131.exe, 0000000A.00000002.2752487929.0000000000F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/SE
                Source: MPGPH131.exe, 00000007.00000002.2822679515.0000000000E33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/T
                Source: PNO3otPYOa.exe, 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmp, PNO3otPYOa.exe, 00000000.00000003.2023432722.0000000000DF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2835935957.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2083193308.0000000000D30000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2821306165.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2084187915.00000000028C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2749828404.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2165267286.0000000002890000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2245506050.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2750366653.000000000055D000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/k
                Source: RageMP131.exe, 00000008.00000002.2751365986.0000000000CC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/uQX
                Source: RageMP131.exe, 0000000A.00000002.2752487929.0000000000F8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
                Source: RageMP131.exe, 0000000A.00000002.2752487929.0000000000F38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33?
                Source: RageMP131.exe, 00000008.00000002.2751365986.0000000000C5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33B
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000DEB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33OV
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000EEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33o
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000D9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33x
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F16000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
                Source: RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33G
                Source: RageMP131.exe, 0000000A.00000002.2752487929.0000000000FAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33r
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.7
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000E9E000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2840550495.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2823886060.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2751365986.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2752487929.0000000000F38000.00000004.00000020.00020000.00000000.sdmp, J7z8s88sXcCE6j1G9cCUUTi.zip.6.dr, r_sRxMygZ5JYHZAcFpnL_Yd.zip.0.drString found in binary or memory: https://t.me/RiseProSUPPORT
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000E9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT;
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000D9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTF
                Source: MPGPH131.exe, 00000006.00000002.2840550495.00000000057C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTJ9U
                Source: RageMP131.exe, 00000008.00000002.2751365986.0000000000C5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTp;
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTted88
                Source: RageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr, passwords.txt.6.drString found in binary or memory: https://t.me/risepro_bot
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot.46.123.33b
                Source: RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot2
                Source: RageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botDU
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botL
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botY
                Source: RageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botisepro_bot
                Source: RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botrisepro
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bots
                Source: RageMP131.exe, 0000000A.00000002.2752487929.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.zx
                Source: PNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drString found in binary or memory: https://www.ecosia.org/newtab/
                Source: PNO3otPYOa.exe, 00000000.00000003.2604183436.0000000005832000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596706124.000000000582B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2599498555.0000000005B68000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2600576237.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2607497230.0000000005826000.00000004.00000020.00020000.00000000.sdmp, IK3k1Eo6e4pjWeb Data.0.dr, y31C2U2FqEpfWeb Data.6.dr, oRcPvxQGoX66Web Data.6.dr, vSjx5btCeh_cWeb Data.0.dr, Rj9znu7z1UNzWeb Data.0.dr, OkfPwCov6EatWeb Data.6.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: PNO3otPYOa.exe, MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                Source: PNO3otPYOa.exe, 00000000.00000003.2619633459.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                Source: PNO3otPYOa.exe, 00000000.00000003.2610854014.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2619633459.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2604694117.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2605775440.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2603602544.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596911417.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2592530864.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2618678401.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2651907976.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2594138136.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2601645989.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2615048675.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2619040137.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2613206614.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2840729994.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2618150729.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2617064829.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2616066299.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2595194273.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2616427478.0000000005812000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/y
                Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: PNO3otPYOa.exe, 00000000.00000003.2610854014.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2619633459.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2604694117.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2605775440.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2603602544.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596911417.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2592530864.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2618678401.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2651907976.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2594138136.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2601645989.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2615048675.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2619040137.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2613206614.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2840729994.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2618150729.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2617064829.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2616066299.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2595194273.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2616427478.0000000005812000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                Source: PNO3otPYOa.exe, 00000000.00000003.2619633459.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/7)_1
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/ata
                Source: MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/efox/
                Source: PNO3otPYOa.exe, 00000000.00000003.2610854014.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2619633459.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2604694117.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2605775440.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2603602544.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2596911417.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2592530864.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2618678401.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2651907976.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2594138136.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2601645989.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2615048675.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2619040137.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2613206614.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2840729994.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2618150729.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2617064829.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2616066299.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2595194273.0000000005812000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2616427478.0000000005812000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/irefoxz
                Source: PNO3otPYOa.exe, 00000000.00000003.2619633459.00000000057FF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/t
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49718 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49719 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49720 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49721 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49722 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49723 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49728 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49729 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49730 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49731 version: TLS 1.2
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004E5FF0 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,73BC74A0,DeleteObject,DeleteObject,ReleaseDC,0_2_004E5FF0

                System Summary

                barindex
                PE file contains section with special chars
                Source: PNO3otPYOa.exeStatic PE information: section name:
                Source: PNO3otPYOa.exeStatic PE information: section name:
                Source: PNO3otPYOa.exeStatic PE information: section name:
                Source: PNO3otPYOa.exeStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_0044002D0_2_0044002D
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004DF0300_2_004DF030
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_0049F0D00_2_0049F0D0
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004AA2000_2_004AA200
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_0049D3A00_2_0049D3A0
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004963B00_2_004963B0
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004904400_2_00490440
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004DE4300_2_004DE430
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_0053F5500_2_0053F550
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004D76000_2_004D7600
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004986B00_2_004986B0
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_0040B8E00_2_0040B8E0
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00481C100_2_00481C10
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004FAD000_2_004FAD00
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00493F400_2_00493F40
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_0049AF600_2_0049AF60
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004DFF000_2_004DFF00
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004930800_2_00493080
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004371A00_2_004371A0
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_0044036F0_2_0044036F
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004A43200_2_004A4320
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004845E00_2_004845E0
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_0042F5800_2_0042F580
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004A36100_2_004A3610
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_005486C00_2_005486C0
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_005477600_2_00547760
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004E77E00_2_004E77E0
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004547BF0_2_004547BF
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_0043C9600_2_0043C960
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_0043A9280_2_0043A928
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_0044DA860_2_0044DA86
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00458BB00_2_00458BB0
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004EEC400_2_004EEC40
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004EFC400_2_004EFC40
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00534D400_2_00534D40
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00546D200_2_00546D20
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00545DE00_2_00545DE0
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00458E300_2_00458E30
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00541F000_2_00541F00
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004F2FD00_2_004F2FD0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0044002D6_2_0044002D
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004DF0306_2_004DF030
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0049F0D06_2_0049F0D0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004AA2006_2_004AA200
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0049D3A06_2_0049D3A0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004963B06_2_004963B0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004904406_2_00490440
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004DE4306_2_004DE430
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0053F5506_2_0053F550
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004D76006_2_004D7600
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004986B06_2_004986B0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0040B8E06_2_0040B8E0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00481C106_2_00481C10
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004FAD006_2_004FAD00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00493F406_2_00493F40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0049AF606_2_0049AF60
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004DFF006_2_004DFF00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004930806_2_00493080
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004371A06_2_004371A0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0044036F6_2_0044036F
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004A43206_2_004A4320
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004845E06_2_004845E0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0042F5806_2_0042F580
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004A36106_2_004A3610
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005486C06_2_005486C0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005477606_2_00547760
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004E77E06_2_004E77E0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004547BF6_2_004547BF
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0043C9606_2_0043C960
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0043A9286_2_0043A928
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0044DA866_2_0044DA86
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00458BB06_2_00458BB0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004EEC406_2_004EEC40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004EFC406_2_004EFC40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00534D406_2_00534D40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00546D206_2_00546D20
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00545DE06_2_00545DE0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00458E306_2_00458E30
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00541F006_2_00541F00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004F2FD06_2_004F2FD0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 0041ACE0 appears 86 times
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: String function: 0041ACE0 appears 86 times
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1972
                Source: PNO3otPYOa.exeBinary or memory string: OriginalFilename vs PNO3otPYOa.exe
                Source: PNO3otPYOa.exe, 00000000.00000000.2020714356.000000000058A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedotnet.exe6 vs PNO3otPYOa.exe
                Source: PNO3otPYOa.exe, 00000000.00000002.2849064627.000000000058A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedotnet.exe6 vs PNO3otPYOa.exe
                Source: PNO3otPYOa.exeBinary or memory string: OriginalFilenamedotnet.exe6 vs PNO3otPYOa.exe
                Source: PNO3otPYOa.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: PNO3otPYOa.exeStatic PE information: Section: ZLIB complexity 0.99894497066428
                Source: PNO3otPYOa.exeStatic PE information: Section: ZLIB complexity 0.9942434210526315
                Source: PNO3otPYOa.exeStatic PE information: Section: ZLIB complexity 0.99072265625
                Source: PNO3otPYOa.exeStatic PE information: Section: .reloc ZLIB complexity 1.5
                Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.99894497066428
                Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9942434210526315
                Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.99072265625
                Source: RageMP131.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
                Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.99894497066428
                Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9942434210526315
                Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.99072265625
                Source: MPGPH131.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@14/62@3/3
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2272
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1412:120:WilError_03
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2668
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1716:120:WilError_03
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3168
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeFile created: C:\Users\user\AppData\Local\Temp\rage131MP.tmpJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: PNO3otPYOa.exe, 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmp, PNO3otPYOa.exe, 00000000.00000003.2023432722.0000000000DF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2835935957.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2083193308.0000000000D30000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2821306165.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2084187915.00000000028C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2749828404.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2165267286.0000000002890000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2245506050.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2750366653.000000000055D000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: PNO3otPYOa.exe, 00000000.00000002.2848858257.000000000055D000.00000002.00000001.01000000.00000003.sdmp, PNO3otPYOa.exe, 00000000.00000003.2023432722.0000000000DF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2835935957.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2083193308.0000000000D30000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2821306165.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2084187915.00000000028C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2749828404.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2165267286.0000000002890000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2245506050.0000000000EF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2750366653.000000000055D000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: PNO3otPYOa.exe, 00000000.00000003.2610474711.000000000581C000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000003.2611164355.0000000005809000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2594074973.0000000005818000.00000004.00000020.00020000.00000000.sdmp, b4ep9YrEJBiwLogin Data.0.dr, YWghbxCAFBJrLogin Data.6.dr, JPQQEN02i61OLogin Data.0.dr, GK7TDaUZmBPNLogin Data For Account.6.dr, b81p5RNJHBPPLogin Data.6.dr, tMEkdeo4FFLNLogin Data For Account.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: PNO3otPYOa.exeReversingLabs: Detection: 54%
                Source: PNO3otPYOa.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeFile read: C:\Users\user\Desktop\PNO3otPYOa.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\PNO3otPYOa.exe "C:\Users\user\Desktop\PNO3otPYOa.exe"
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1972
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1916
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 1736
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: d3d11.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: d3d10warp.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: dxcore.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: devobj.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: apphelp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dll
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: PNO3otPYOa.exeStatic file information: File size 3423760 > 1048576
                Source: PNO3otPYOa.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x28c600
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
                Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
                Source: PNO3otPYOa.exeStatic PE information: section name:
                Source: PNO3otPYOa.exeStatic PE information: section name:
                Source: PNO3otPYOa.exeStatic PE information: section name:
                Source: PNO3otPYOa.exeStatic PE information: section name:
                Source: PNO3otPYOa.exeStatic PE information: section name: .themida
                Source: PNO3otPYOa.exeStatic PE information: section name: .boot
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name: .themida
                Source: RageMP131.exe.0.drStatic PE information: section name: .boot
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name: .themida
                Source: MPGPH131.exe.0.drStatic PE information: section name: .boot
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00433F59 push ecx; ret 0_2_00433F6C
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_005F6FA2 push ecx; mov dword ptr [esp], 33711A4Ah0_2_008B6662
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00433F59 push ecx; ret 6_2_00433F6C
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F6FA2 push ecx; mov dword ptr [esp], 33711A4Ah6_2_008B6662
                Source: PNO3otPYOa.exeStatic PE information: section name: entropy: 7.9829541104019395
                Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.9829541104019395
                Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.9829541104019395
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Found stalling execution ending in API Sleep call
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeStalling execution: Execution stalls by calling Sleep
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSystem information queried: FirmwareTableInformation
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSystem information queried: FirmwareTableInformation
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSystem information queried: FirmwareTableInformation
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeWindow / User API: threadDelayed 419Jump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 444
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 353
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-53262
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-53377
                Source: C:\Users\user\Desktop\PNO3otPYOa.exe TID: 5068Thread sleep count: 54 > 30Jump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exe TID: 5068Thread sleep count: 419 > 30Jump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exe TID: 5068Thread sleep time: -42319s >= -30000sJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5032Thread sleep count: 348 > 30Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5032Thread sleep time: -35148s >= -30000sJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3364Thread sleep count: 347 > 30Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3364Thread sleep time: -35047s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1216Thread sleep count: 60 > 30
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1216Thread sleep count: 444 > 30
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1216Thread sleep time: -44844s >= -30000s
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3748Thread sleep count: 353 > 30
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3748Thread sleep time: -35653s >= -30000s
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004C6000
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_004E6770
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,0_2_00493F40
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,0_2_00431F9C
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_00432022
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004938D0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,6_2_004C6000
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,6_2_004E6770
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,6_2_00493F40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,6_2_004DFF00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00431F9C FindClose,FindFirstFileExW,GetLastError,6_2_00431F9C
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,6_2_00432022
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,6_2_004938D0
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: formVMware20,11696428655
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ccount.microsoft.com/profileVMware20,11696428655u
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT service, encrypted_token FROM token_servicerr global passwords blocklistVMware20,11696428655
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696
                Source: MPGPH131.exe, 00000006.00000003.2614381832.000000000582B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .comVMware20,11696428
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r global passwords blocklistVMware20,11696428655
                Source: RageMP131.exe, 0000000A.00000002.2752487929.0000000000F80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWHk
                Source: PNO3otPYOa.exe, 00000000.00000003.2611676678.0000000005818000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696428655
                Source: MPGPH131.exe, 00000007.00000002.2822679515.0000000000DC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
                Source: PNO3otPYOa.exe, 00000000.00000003.2617256419.000000000581E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: Amcache.hve.16.drBinary or memory string: vmci.sys
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: AMC password management pageVMware20,11696428655
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: MPGPH131.exe, 00000006.00000003.2614381832.000000000582B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ebrokers.co.inVMware20,11696428655d
                Source: MPGPH131.exe, 00000007.00000002.2822679515.0000000000E93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4468A0FF
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4468A0FFFk21
                Source: Amcache.hve.16.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: PNO3otPYOa.exe, 00000000.00000003.2611676678.0000000005818000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT name, value FROM autofillmain'.sqlite_masterr global passwords blocklistVMware20,11696428655
                Source: Amcache.hve.16.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: Amcache.hve.16.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.16.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: RageMP131.exe, 00000008.00000002.2751365986.0000000000CAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@J
                Source: Amcache.hve.16.drBinary or memory string: VMware Virtual USB Mouse
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000DFA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: discord.comVMware20,11696428655f
                Source: RageMP131.exe, 0000000A.00000003.2280024617.0000000000F90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: MPGPH131.exe, 00000006.00000003.2614381832.000000000582B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,116
                Source: Amcache.hve.16.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: Amcache.hve.16.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rootpagecomVMware20,11696428655o
                Source: MPGPH131.exe, 00000006.00000003.2614381832.000000000582B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s.portal.azure.comVMware20,11696428655
                Source: Amcache.hve.16.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                Source: Amcache.hve.16.drBinary or memory string: vmci.syshbin`
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: PNO3otPYOa.exe, 00000000.00000003.2070484836.0000000000F02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}$
                Source: Amcache.hve.16.drBinary or memory string: \driver\vmci,\driver\pci
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pageformVMware20,11696428655
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: MPGPH131.exe, 00000006.00000003.2614381832.000000000582B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696(
                Source: MPGPH131.exe, 00000007.00000002.2824312294.0000000005C20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}FilesPSModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: MPGPH131.exe, 00000006.00000003.2614381832.000000000582B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: billing_address_id.comVMware20,11696428
                Source: Amcache.hve.16.drBinary or memory string: VMware
                Source: MPGPH131.exe, 00000007.00000003.2132480957.0000000000E28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}#3
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@
                Source: MPGPH131.exe, 00000006.00000003.2614381832.000000000582B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .utiitsl.comVMware20,1169642865
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: global block list test formVMware20,11696428655
                Source: Amcache.hve.16.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F16000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000EEF000.00000004.00000020.00020000.00000000.sdmp, PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2822679515.0000000000E0F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2751365986.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.2752487929.0000000000FB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: RageMP131.exe, 0000000A.00000003.2280024617.0000000000F98000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: PNO3otPYOa.exe, 00000000.00000003.2611676678.0000000005818000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: eVMware20,11696428655
                Source: Amcache.hve.16.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,1169642865
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: RageMP131.exe, 00000008.00000002.2751365986.0000000000C5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AESCPI\DSDT\VBOX__Virt
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: MPGPH131.exe, 00000006.00000003.2614381832.000000000582B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nickname.utiitsl.comVMware20,1169642865
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: Amcache.hve.16.drBinary or memory string: VMware20,1
                Source: Amcache.hve.16.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.16.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.16.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: Amcache.hve.16.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: MPGPH131.exe, 00000006.00000003.2614381832.000000000582B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ra Change Transaction PasswordVMware20,11696428655
                Source: Amcache.hve.16.drBinary or memory string: VMware VMCI Bus Device
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o.inVMware20,11696428655~
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: Amcache.hve.16.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000D9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&5
                Source: RageMP131.exe, 0000000A.00000002.2752487929.0000000000F30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
                Source: MPGPH131.exe, 00000007.00000002.2822679515.0000000000E93000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4468A0FFT`
                Source: Amcache.hve.16.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.16.drBinary or memory string: VMware, Inc.
                Source: PNO3otPYOa.exe, 00000000.00000003.2611676678.0000000005818000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428657
                Source: Amcache.hve.16.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.16.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696428655
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: Amcache.hve.16.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}g,u.eg,v.eg,w.eg,x.eg,y.eg,z.eg,a.in,b.in,c.in,d.in,e.in,f.in,g.in,h.in,i.in,j.in,k.in,l.in,m.in,n.in,o.in
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}vgE
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: comVMware20,11696428655o
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: Amcache.hve.16.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: G6hWgD726jZgWeb Data.6.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: Amcache.hve.16.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: PNO3otPYOa.exe, 00000000.00000003.2615940466.0000000005821000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tive Brokers - non-EU EuropeVMware20,11696428655
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}g,u.ug,v.ug,w.ug,x.ug,y.ug,z.ug,a.sy,b.sy,c.sy,d.sy,e.sy,f.sy,g.sy,h.sy,i.sy,j.sy,k.sy,l.sy,m.sy,n.sy,o.sy
                Source: RageMP131.exe, 0000000A.00000002.2752487929.0000000000FB9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW3)
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWF
                Source: Amcache.hve.16.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4468A0FF
                Source: PNO3otPYOa.exe, 00000000.00000003.2611676678.0000000005818000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696x.
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeProcess queried: DebugPortJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00438A64
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004C6D80 mov eax, dword ptr fs:[00000030h]0_2_004C6D80
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00493F40 mov eax, dword ptr fs:[00000030h]0_2_00493F40
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004C6D80 mov eax, dword ptr fs:[00000030h]6_2_004C6D80
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00493F40 mov eax, dword ptr fs:[00000030h]6_2_00493F40
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004E9A70 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,0_2_004E9A70
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043451D
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00438A64
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0043451D
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00438A64

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Contains functionality to inject threads in other processes
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,6_2_004CF280
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: GetLocaleInfoW,0_2_004531CA
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: EnumSystemLocalesW,0_2_0044B1B1
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004532F3
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: GetLocaleInfoW,0_2_004533F9
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004534CF
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: GetLocaleInfoW,0_2_0044B734
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00452B5A
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: GetLocaleInfoW,0_2_00452D5F
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: EnumSystemLocalesW,0_2_00452E51
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: EnumSystemLocalesW,0_2_00452E06
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: EnumSystemLocalesW,0_2_00452EEC
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00452F77
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,6_2_004DFF00
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,6_2_004531CA
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,6_2_0044B1B1
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_004532F3
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,6_2_004533F9
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_004534CF
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,6_2_0044B734
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,6_2_00452B5A
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,6_2_00452D5F
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,6_2_00452E51
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,6_2_00452E06
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,6_2_00452EEC
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,6_2_00452F77
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformationJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeCode function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,0_2_004DFF00
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Amcache.hve.16.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.16.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.16.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.16.drBinary or memory string: MsMpEng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected RisePro Stealer
                Source: Yara matchFile source: 00000006.00000002.2840550495.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2823886060.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2855619080.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2619633459.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PNO3otPYOa.exe PID: 3168, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 2668, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 2272, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 4956, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 4440, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\J7z8s88sXcCE6j1G9cCUUTi.zip, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\r_sRxMygZ5JYHZAcFpnL_Yd.zip, type: DROPPED
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets*
                Source: MPGPH131.exe, 00000006.00000002.2840550495.00000000057D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
                Source: PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Jaxx\Local Storage
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.walleta_1n
                Source: PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
                Source: PNO3otPYOa.exe, 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.walleta_1n
                Source: MPGPH131.exe, 00000006.00000002.2840550495.00000000057D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
                Source: PNO3otPYOa.exe, 00000000.00000002.2855619080.00000000057B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
                Source: MPGPH131.exe, 00000007.00000002.2822679515.0000000000E93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                Source: MPGPH131.exe, 00000006.00000002.2840550495.00000000057D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
                Source: MPGPH131.exe, 00000007.00000002.2822679515.0000000000E3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                Source: MPGPH131.exe, 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\formhistory.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\places.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\signons.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.jsonJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqliteJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENTJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_hnfanknocfeofbddgcijnmhnfnkdnaad_0.indexeddb.leveldb\CURRENTJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\PNO3otPYOa.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 00000006.00000002.2838904205.0000000000E30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 2668, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 2272, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected RisePro Stealer
                Source: Yara matchFile source: 00000006.00000002.2840550495.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2823886060.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2855619080.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2619633459.00000000057C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2851606478.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: PNO3otPYOa.exe PID: 3168, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 2668, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 2272, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 4956, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 4440, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\J7z8s88sXcCE6j1G9cCUUTi.zip, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\r_sRxMygZ5JYHZAcFpnL_Yd.zip, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		1
                Scheduled Task/Job                		11
                Process Injection                		3
                Obfuscated Files or Information                		LSASS Memory1
                Account Discovery                		Remote Desktop Protocol2
                Data from Local System                		21
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Scheduled Task/Job                		1
                Registry Run Keys / Startup Folder                		1
                Scheduled Task/Job                		2
                Software Packing                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Screen Capture                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                Registry Run Keys / Startup Folder                		1
                DLL Side-Loading                		NTDS35
                System Information Discovery                		Distributed Component Object Model1
                Email Collection                		2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Masquerading                		LSA Secrets1
                Query Registry                		SSHKeylogging13
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts13
                Virtualization/Sandbox Evasion                		Cached Domain Credentials351
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                Process Injection                		DCSync13
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                System Network Configuration Discovery                		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1460309 Sample: PNO3otPYOa.exe Startdate: 20/06/2024 Architecture: WINDOWS Score: 100 46 ipinfo.io 2->46 48 db-ip.com 2->48 56 Snort IDS alert for network traffic 2->56 58 Antivirus detection for URL or domain 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 5 other signatures 2->62 8 PNO3otPYOa.exe 1 63 2->8         started        13 MPGPH131.exe 56 2->13         started        15 MPGPH131.exe 10 50 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 50 77.91.77.66, 49705, 49706, 49707 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 8->50 52 ipinfo.io 34.117.186.192, 443, 49718, 49719 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->52 54 db-ip.com 104.26.4.15, 443, 49721, 49722 CLOUDFLARENETUS United States 8->54 36 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->36 dropped 38 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->38 dropped 40 C:\Users\user\...\r_sRxMygZ5JYHZAcFpnL_Yd.zip, Zip 8->40 dropped 44 2 other malicious files 8->44 dropped 64 Query firmware table information (likely to detect VMs) 8->64 66 Tries to steal Mail credentials (via file / registry access) 8->66 68 Found many strings related to Crypto-Wallets (likely being stolen) 8->68 80 2 other signatures 8->80 19 WerFault.exe 8->19         started        22 schtasks.exe 1 8->22         started        24 schtasks.exe 1 8->24         started        42 C:\Users\user\...\J7z8s88sXcCE6j1G9cCUUTi.zip, Zip 13->42 dropped 70 Multi AV Scanner detection for dropped file 13->70 72 Machine Learning detection for dropped file 13->72 74 Found stalling execution ending in API Sleep call 13->74 26 WerFault.exe 13->26         started        76 Tries to harvest and steal browser information (history, passwords, etc) 15->76 78 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->78 28 WerFault.exe 15->28         started        file6 signatures7 process8 file9 34 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->34 dropped 30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        process10

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.