Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1460423
MD5:b7e7f713ce1c717b6ae28904971e37e5
SHA1:c18c91d091956967f5937ce5bd1555ea6494309f
SHA256:f44b54751b7158902476013aed1fbcfec96bc0ab19b3303d088dec97f418885e
Tags:exe
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Steals Internet Explorer cookies
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4536 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B7E7F713CE1C717B6AE28904971E37E5)
    • schtasks.exe (PID: 6900 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 3364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 6444 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • MPGPH131.exe (PID: 3308 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: B7E7F713CE1C717B6AE28904971E37E5)
    • WerFault.exe (PID: 7588 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 824 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 7112 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: B7E7F713CE1C717B6AE28904971E37E5)
  • RageMP131.exe (PID: 7264 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: B7E7F713CE1C717B6AE28904971E37E5)
  • RageMP131.exe (PID: 7620 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: B7E7F713CE1C717B6AE28904971E37E5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\EfSAyduNP94O7VkIcUcjXr_.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000E.00000002.1649769976.0000000005796000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
      0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
        0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
          0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Process Memory Space: file.exe PID: 4536JoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
              Click to see the 5 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 4536, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

              Snort Signatures

              Timestamp:06/21/24-00:21:07.716237
              SID:2046269
              Source Port:49701
              Destination Port:58709
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/21/24-00:21:18.191477
              SID:2046269
              Source Port:49702
              Destination Port:58709
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/21/24-00:21:22.433823
              SID:2046266
              Source Port:58709
              Destination Port:49716
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/21/24-00:21:04.001309
              SID:2049060
              Source Port:49701
              Destination Port:58709
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/21/24-00:21:08.912466
              SID:2046266
              Source Port:58709
              Destination Port:49703
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/21/24-00:21:09.145970
              SID:2046267
              Source Port:58709
              Destination Port:49703
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/21/24-00:21:29.885372
              SID:2046266
              Source Port:58709
              Destination Port:49721
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/21/24-00:21:04.598857
              SID:2046266
              Source Port:58709
              Destination Port:49701
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/21/24-00:21:08.254846
              SID:2046267
              Source Port:58709
              Destination Port:49701
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/21/24-00:21:09.129736
              SID:2046267
              Source Port:58709
              Destination Port:49702
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:06/21/24-00:21:08.889682
              SID:2046266
              Source Port:58709
              Destination Port:49702
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://77.91.77.81/mine/amadka.exeAvira URL Cloud: Label: phishing
              Source: http://77.91.77.81/cost/go.exeAvira URL Cloud: Label: phishing
              Source: http://77.91.77.81/cost/go.exeEAvira URL Cloud: Label: phishing
              Source: http://77.91.77.81/mine/amadka.exerisepro3JAvira URL Cloud: Label: phishing
              Source: http://77.91.77.81/cost/go.exepAvira URL Cloud: Label: phishing
              Source: http://77.91.77.81/cost/lenin.exenAvira URL Cloud: Label: phishing
              Source: http://77.91.77.81/cost/lenin.exeAvira URL Cloud: Label: phishing
              Multi AV Scanner detection for dropped file
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeReversingLabs: Detection: 47%
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeReversingLabs: Detection: 47%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJoe Sandbox ML: detected
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C6B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,0_2_004C6B00
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004C6B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,14_2_004C6B00
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49717 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49718 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49724 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49725 version: TLS 1.2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C6000 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004C6000
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_00432022
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_004E6770
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,0_2_00431F9C
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,14_2_004C6000
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,14_2_004E6770
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,14_2_00493F40
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,14_2_004DFF00
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00431F9C FindClose,FindFirstFileExW,GetLastError,14_2_00431F9C
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,14_2_00432022
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,14_2_004938D0

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.7:49701 -> 77.91.77.66:58709
              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.7:49701
              Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.7:49701 -> 77.91.77.66:58709
              Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.7:49701
              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.7:49702
              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.7:49703
              Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.7:49702
              Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.7:49703
              Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.7:49702 -> 77.91.77.66:58709
              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.7:49716
              Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.7:49721
              Connects to many ports of the same IP (likely port scanning)
              Source: global trafficTCP traffic: 77.91.77.66 ports 0,5,7,8,58709,9
              Source: global trafficTCP traffic: 192.168.2.7:49701 -> 77.91.77.66:58709
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
              Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
              Source: Joe Sandbox ViewIP Address: 172.67.75.166 172.67.75.166
              Source: Joe Sandbox ViewIP Address: 77.91.77.66 77.91.77.66
              Source: Joe Sandbox ViewASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: unknownDNS query: name: ipinfo.io
              Source: unknownDNS query: name: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: unknownTCP traffic detected without corresponding DNS query: 77.91.77.66
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C7B00 recv,setsockopt,recv,WSAGetLastError,recv,recv,setsockopt,recv,recv,recv,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep,0_2_004C7B00
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficHTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
              Source: global trafficHTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
              Source: global trafficDNS traffic detected: DNS query: ipinfo.io
              Source: global trafficDNS traffic detected: DNS query: db-ip.com
              Source: file.exe, 00000000.00000002.1408683703.000000000100F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/go.exe
              Source: MPGPH131.exe, 0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/go.exeE
              Source: MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/go.exep
              Source: file.exe, 00000000.00000002.1408683703.000000000100F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exe
              Source: MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/cost/lenin.exen
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exe
              Source: MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://77.91.77.81/mine/amadka.exerisepro3J
              Source: Amcache.hve.21.drString found in binary or memory: http://upx.sf.net
              Source: file.exe, 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1252876306.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1294004431.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648256336.000000000055D000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000F.00000003.1294088860.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1408057987.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000011.00000003.1419406208.0000000002860000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1530238789.000000000055D000.00000002.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000016.00000003.1503411648.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596034104.000000000055D000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
              Source: MPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: MPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: MPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: MPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: RageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596888366.0000000000EFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/
              Source: RageMP131.exe, 00000016.00000002.1596888366.0000000000EFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33
              Source: RageMP131.exe, 00000011.00000002.1531975508.0000000000E9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33Ap
              Source: RageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33K
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33SE
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33i
              Source: RageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33z
              Source: RageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/n
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/w
              Source: file.exe, 00000000.00000002.1408683703.000000000100F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1531975508.0000000000E9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596888366.0000000000E68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33
              Source: MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33J
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33r
              Source: MPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: MPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: MPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: RageMP131.exe, 00000016.00000002.1596888366.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596888366.0000000000EFC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596888366.0000000000E92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
              Source: MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/&
              Source: file.exe, 00000000.00000002.1408683703.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648923319.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596888366.0000000000EDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
              Source: file.exe, 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1252876306.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1294004431.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648256336.000000000055D000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000F.00000003.1294088860.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1408057987.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000011.00000003.1419406208.0000000002860000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1530238789.000000000055D000.00000002.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000016.00000003.1503411648.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596034104.000000000055D000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
              Source: RageMP131.exe, 00000011.00000002.1531975508.0000000000E1A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1531975508.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596888366.0000000000EB0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596888366.0000000000E68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
              Source: RageMP131.exe, 00000016.00000002.1596888366.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.335
              Source: MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33o
              Source: file.exe, 00000000.00000002.1408683703.0000000000FBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33s
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000E81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/y
              Source: file.exe, 00000000.00000002.1408683703.0000000000FF6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648923319.0000000000EC5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
              Source: MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33%
              Source: RageMP131.exe, 00000016.00000002.1596888366.0000000000E68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33h
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
              Source: MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t._
              Source: file.exe, 00000000.00000002.1408683703.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649769976.0000000005796000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648923319.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1411349896.0000000000CE7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1531975508.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596888366.0000000000E68000.00000004.00000020.00020000.00000000.sdmp, EfSAyduNP94O7VkIcUcjXr_.zip.14.drString found in binary or memory: https://t.me/RiseProSUPPORT
              Source: MPGPH131.exe, 0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT-
              Source: MPGPH131.exe, 0000000E.00000002.1649769976.0000000005796000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTMP=C:
              Source: RageMP131.exe, 00000011.00000002.1531975508.0000000000DCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTOCESSOR_IDENTIFIER=Intel%q
              Source: MPGPH131.exe, 0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTv
              Source: RageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro
              Source: RageMP131.exe, 00000016.00000002.1596888366.0000000000EFC000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.14.drString found in binary or memory: https://t.me/risepro_bot
              Source: MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot33
              Source: RageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botB
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botL
              Source: file.exe, 00000000.00000002.1408683703.000000000100F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botO
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botZ
              Source: RageMP131.exe, 00000016.00000002.1596888366.0000000000EFC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botisepro_bot
              Source: RageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botq
              Source: MPGPH131.exe, 0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.y
              Source: MPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drString found in binary or memory: https://www.ecosia.org/newtab/
              Source: MPGPH131.exe, 0000000E.00000003.1435312105.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1424968806.0000000005BE8000.00000004.00000020.00020000.00000000.sdmp, Bafr0LqMPV7GWeb Data.14.dr, h5oY31u6hqY9Web Data.14.dr, oqtSf5YllwSpWeb Data.14.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: file.exe, MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
              Source: MPGPH131.exe, 0000000E.00000002.1649769976.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1419793250.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1423274122.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/g
              Source: MPGPH131.exe, 0000000E.00000003.1420362412.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649769976.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1419793250.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1423274122.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.14.dr, D87fZN3R3jFeplaces.sqlite.15.dr, D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
              Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: MPGPH131.exe, 0000000E.00000003.1420362412.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649769976.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1419793250.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648923319.0000000000E8B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1423274122.00000000057A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
              Source: MPGPH131.exe, 0000000E.00000002.1649769976.00000000057A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/#
              Source: MPGPH131.exe, 0000000E.00000003.1420362412.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1649769976.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1419793250.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1423274122.00000000057A1000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.14.dr, D87fZN3R3jFeplaces.sqlite.15.dr, D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
              Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49704 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49705 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49706 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49707 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49708 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49709 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49717 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49718 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49724 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49725 version: TLS 1.2
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004E5FF0 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,705374A0,DeleteObject,DeleteObject,ReleaseDC,14_2_004E5FF0

              System Summary

              barindex
              PE file contains section with special chars
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049F0D00_2_0049F0D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004AA2000_2_004AA200
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049D3A00_2_0049D3A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053F5500_2_0053F550
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004FAD000_2_004FAD00
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0049AF600_2_0049AF60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043C9600_2_0043C960
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043A9280_2_0043A928
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004371A00_2_004371A0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044036F0_2_0044036F
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A43200_2_004A4320
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00458BB00_2_00458BB0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004963B00_2_004963B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EEC400_2_004EEC40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004EFC400_2_004EFC40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00534D400_2_00534D40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00546D200_2_00546D20
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00545DE00_2_00545DE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042F5800_2_0042F580
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004526100_2_00452610
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004A36100_2_004A3610
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00458E300_2_00458E30
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004986B00_2_004986B0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005477600_2_00547760
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F2FD00_2_004F2FD0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E77E00_2_004E77E0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0044002D14_2_0044002D
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004DF03014_2_004DF030
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0049F0D014_2_0049F0D0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004AA20014_2_004AA200
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0049D3A014_2_0049D3A0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004963B014_2_004963B0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0049044014_2_00490440
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004DE43014_2_004DE430
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0053F55014_2_0053F550
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004D760014_2_004D7600
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004986B014_2_004986B0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0040B8E014_2_0040B8E0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00481C1014_2_00481C10
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004FAD0014_2_004FAD00
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00493F4014_2_00493F40
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0049AF6014_2_0049AF60
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004DFF0014_2_004DFF00
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0049308014_2_00493080
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004371A014_2_004371A0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0044036F14_2_0044036F
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004A432014_2_004A4320
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004845E014_2_004845E0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0042F58014_2_0042F580
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004A361014_2_004A3610
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_005486C014_2_005486C0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0054776014_2_00547760
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004E77E014_2_004E77E0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004547BF14_2_004547BF
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0043C96014_2_0043C960
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0043A92814_2_0043A928
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0044DA8614_2_0044DA86
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00458BB014_2_00458BB0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004EEC4014_2_004EEC40
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004EFC4014_2_004EFC40
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00534D4014_2_00534D40
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00546D2014_2_00546D20
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00545DE014_2_00545DE0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00458E3014_2_00458E30
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00541F0014_2_00541F00
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004F2FD014_2_004F2FD0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 0041ACE0 appears 86 times
              Source: C:\Users\user\Desktop\file.exeCode function: String function: 0041ACE0 appears 77 times
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 824
              Source: file.exeBinary or memory string: OriginalFilename vs file.exe
              Source: file.exe, 00000000.00000000.1250380943.000000000058A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedotnet.exe6 vs file.exe
              Source: file.exe, 00000000.00000002.1406907800.000000000058A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedotnet.exe6 vs file.exe
              Source: file.exeBinary or memory string: OriginalFilenamedotnet.exe6 vs file.exe
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: file.exeStatic PE information: Section: ZLIB complexity 0.9981028117541766
              Source: file.exeStatic PE information: Section: ZLIB complexity 0.9910126879699248
              Source: file.exeStatic PE information: Section: ZLIB complexity 0.990234375
              Source: file.exeStatic PE information: Section: .reloc ZLIB complexity 1.5
              Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9981028117541766
              Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9910126879699248
              Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.990234375
              Source: RageMP131.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
              Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9981028117541766
              Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9910126879699248
              Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.990234375
              Source: MPGPH131.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/33@2/3
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E77E0 CopyFileA,GetLastError,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,0_2_004E77E0
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3364:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4828:120:WilError_03
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3308
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user~1\AppData\Local\Temp\rage131MP.tmpJump to behavior
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exe, 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1252876306.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1294004431.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648256336.000000000055D000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000F.00000003.1294088860.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1408057987.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000011.00000003.1419406208.0000000002860000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1530238789.000000000055D000.00000002.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000016.00000003.1503411648.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596034104.000000000055D000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: file.exe, 00000000.00000002.1406862853.000000000055D000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1252876306.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1294004431.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648256336.000000000055D000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000F.00000003.1294088860.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1408057987.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000011.00000003.1419406208.0000000002860000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1530238789.000000000055D000.00000002.00000001.01000000.00000007.sdmp, RageMP131.exe, 00000016.00000003.1503411648.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596034104.000000000055D000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: MPGPH131.exe, 0000000E.00000003.1436387408.00000000057A5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1420287683.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1420362412.000000000578D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000003.1423274122.000000000578D000.00000004.00000020.00020000.00000000.sdmp, XV6CMo7Jg4S7Login Data For Account.14.dr, diymrzMDsfMULogin Data.14.dr, 4k4Hzk2ExswRLogin Data.14.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: file.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
              Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
              Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
              Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 824
              Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dll
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: file.exeStatic file information: File size 3288080 > 1048576
              Source: file.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x26b400
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
              Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name:
              Source: file.exeStatic PE information: section name: .themida
              Source: file.exeStatic PE information: section name: .boot
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name:
              Source: RageMP131.exe.0.drStatic PE information: section name: .themida
              Source: RageMP131.exe.0.drStatic PE information: section name: .boot
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name:
              Source: MPGPH131.exe.0.drStatic PE information: section name: .themida
              Source: MPGPH131.exe.0.drStatic PE information: section name: .boot
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0064E8B4 push 5171531Fh; mov dword ptr [esp], ebp0_2_008CC8C0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0064E8B4 push edi; mov dword ptr [esp], ebx0_2_008CC8C4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00433F59 push ecx; ret 0_2_00433F6C
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0064E8B4 push 5171531Fh; mov dword ptr [esp], ebp14_2_008CC8C0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0064E8B4 push edi; mov dword ptr [esp], ebx14_2_008CC8C4
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00433F59 push ecx; ret 14_2_00433F6C
              Source: file.exeStatic PE information: section name: entropy: 7.974899357034606
              Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.974899357034606
              Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.974899357034606
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
              Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
              Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
              Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Found stalling execution ending in API Sleep call
              Source: C:\Users\user\Desktop\file.exeStalling execution: Execution stalls by calling Sleepgraph_0-36643
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeStalling execution: Execution stalls by calling Sleepgraph_14-53648
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\file.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSystem information queried: FirmwareTableInformation
              Tries to detect sandboxes / dynamic malware analysis system (registry check)
              Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
              Source: C:\Users\user\Desktop\file.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-36642
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_14-53669
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_14-46125
              Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-36788
              Source: C:\Users\user\Desktop\file.exe TID: 6348Thread sleep count: 34 > 30Jump to behavior
              Source: C:\Users\user\Desktop\file.exe TID: 6348Thread sleep count: 37 > 30Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3216Thread sleep count: 81 > 30Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6756Thread sleep count: 83 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7268Thread sleep count: 136 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7624Thread sleep count: 45 > 30
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C6000 FindFirstFileA,FindNextFileA,GetLastError,FindClose,0_2_004C6000
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,0_2_00432022
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,0_2_004E6770
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,0_2_00431F9C
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,14_2_004C6000
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,14_2_004E6770
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,14_2_00493F40
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,14_2_004DFF00
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00431F9C FindClose,FindFirstFileExW,GetLastError,14_2_00431F9C
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,14_2_00432022
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,14_2_004938D0
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,14_2_004DFF00
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000EC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Dk&Ven_VMware&P
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
              Source: file.exe, 00000000.00000002.1408683703.000000000100F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
              Source: MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D35000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ra Change Transaction PasswordVMware20,11696492231
              Source: MPGPH131.exe, 0000000E.00000002.1649901501.0000000005BC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}}C
              Source: MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D35000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000E9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&NE
              Source: Amcache.hve.21.drBinary or memory string: vmci.sys
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: global block list test formVMware20,11696492231
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: bankofamerica.comVMware20,11696492231x
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: comVMware20,11696492231o
              Source: RageMP131.exe, 00000011.00000002.1531975508.0000000000E1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWXn
              Source: Amcache.hve.21.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.21.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: Amcache.hve.21.drBinary or memory string: VMware Virtual RAM
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696492231
              Source: Amcache.hve.21.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.21.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
              Source: MPGPH131.exe, 0000000E.00000002.1649769976.00000000057A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_9C3F3566
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
              Source: Amcache.hve.21.drBinary or memory string: VMware Virtual USB Mouse
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
              Source: RageMP131.exe, 00000016.00000002.1596888366.0000000000EC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tive Brokers - non-EU EuropeVMware20,11696492231
              Source: RageMP131.exe, 00000016.00000003.1528744564.0000000000EC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
              Source: Amcache.hve.21.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: MPGPH131.exe, 0000000E.00000002.1649769976.0000000005760000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}L~
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: formVMware20,11696492231
              Source: Amcache.hve.21.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492
              Source: file.exe, 00000000.00000002.1408683703.0000000000F70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000g
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r global passwords blocklistVMware20,11696492231
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
              Source: Amcache.hve.21.drBinary or memory string: vmci.syshbin`
              Source: Amcache.hve.21.drBinary or memory string: \driver\vmci,\driver\pci
              Source: file.exe, 00000000.00000002.1408683703.0000000000F70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000@Z
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,1169649223
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT service, encrypted_token FROM token_servicerr global passwords blocklistVMware20,11696492231
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
              Source: RageMP131.exe, 00000016.00000002.1596888366.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&)8:
              Source: Amcache.hve.21.drBinary or memory string: VMware
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
              Source: MPGPH131.exe, 0000000E.00000002.1649769976.0000000005760000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\User Data\bmikpgodpkclnkgmnpphehdgcimmided\CURRENT}z.
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o.inVMware20,11696492231~
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: outlook.office.comVMware20,11696492231s
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: AMC password management pageVMware20,11696492231
              Source: Amcache.hve.21.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pageformVMware20,11696492231
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: interactivebrokers.comVMware20,11696492231
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
              Source: file.exe, 00000000.00000002.1408683703.000000000100F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648923319.0000000000E9D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.1411349896.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.1531975508.0000000000E46000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596888366.0000000000EFC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000016.00000002.1596888366.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}qE
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
              Source: RageMP131.exe, 00000016.00000003.1528744564.0000000000EC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: outlook.office365.comVMware20,11696492231t
              Source: Amcache.hve.21.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: discord.comVMware20,11696492231f
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: tasks.office.comVMware20,11696492231o
              Source: Amcache.hve.21.drBinary or memory string: VMware20,1
              Source: Amcache.hve.21.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.21.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.21.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
              Source: Amcache.hve.21.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
              Source: Amcache.hve.21.drBinary or memory string: VMware VMCI Bus Device
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
              Source: Amcache.hve.21.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,116(
              Source: RageMP131.exe, 00000016.00000002.1596888366.0000000000EFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnIA
              Source: RageMP131.exe, 00000011.00000002.1531975508.0000000000E1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ccount.microsoft.com/profileVMware20,11696492231u
              Source: Amcache.hve.21.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.21.drBinary or memory string: VMware, Inc.
              Source: Amcache.hve.21.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.21.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.21.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: file.exe, 00000000.00000002.1408683703.0000000000FCA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
              Source: MPGPH131.exe, 0000000E.00000002.1649769976.0000000005760000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\User Data\igkpcodhieompeloncfnbekccinhapdb\CURRENT
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
              Source: Amcache.hve.21.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: MPGPH131.exe, 0000000E.00000003.1439227196.0000000005BD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rootpagecomVMware20,11696492231o
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: dev.azure.comVMware20,11696492231j
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
              Source: Amcache.hve.21.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.21.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: MBy5KfxI1GpwWeb Data.14.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
              Source: MPGPH131.exe, 0000000E.00000003.1320967567.0000000000EB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}mD
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00438A64
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C6D80 mov eax, dword ptr fs:[00000030h]0_2_004C6D80
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004C6D80 mov eax, dword ptr fs:[00000030h]14_2_004C6D80
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00493F40 mov eax, dword ptr fs:[00000030h]14_2_00493F40
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E9A70 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,0_2_004E9A70
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00438A64
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0043451D
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_0043451D
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_00438A64

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Contains functionality to inject threads in other processes
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,0_2_004CF280
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,14_2_004CF280
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_004531CA
              Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_0044B1B1
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004532F3
              Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00452B5A
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_004533F9
              Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004534CF
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00452D5F
              Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00452E51
              Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00452E06
              Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00452EEC
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00452F77
              Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_0044B734
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,14_2_004DFF00
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,14_2_004531CA
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,14_2_0044B1B1
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,14_2_004532F3
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,14_2_004533F9
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,14_2_004534CF
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,14_2_0044B734
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,14_2_00452B5A
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,14_2_00452D5F
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,14_2_00452E51
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,14_2_00452E06
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,14_2_00452EEC
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,14_2_00452F77
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite VolumeInformationJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0043361D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,0_2_0043361D
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,14_2_004DFF00
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 14_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,14_2_004DFF00
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Amcache.hve.21.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.21.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.21.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.21.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
              Source: Amcache.hve.21.drBinary or memory string: MsMpEng.exe

              Stealing of Sensitive Information

              barindex
              Yara detected RisePro Stealer
              Source: Yara matchFile source: 0000000E.00000002.1649769976.0000000005796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 4536, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 3308, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7112, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7264, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7620, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\EfSAyduNP94O7VkIcUcjXr_.zip, type: DROPPED
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000E9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\walletsFo
              Source: file.exe, 00000000.00000002.1413592341.0000000005859000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty Extension
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Jaxx\Local Storage\Autofill
              Source: file.exe, 00000000.00000002.1413592341.0000000005859000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: Exodus_E
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json2Vo
              Source: MPGPH131.exe, 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsN16l7
              Source: MPGPH131.exe, 0000000E.00000002.1649769976.0000000005760000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ledger LivealV
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.default\formhistory.sqliteJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.jsonJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqliteJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.default\logins.jsonJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqliteJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.default\signons.sqliteJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\y572q81e.default\places.sqliteJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\signons.sqliteJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENTJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENTJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile read: C:\Users\user\AppData\Local\Temp\trixyTk4mNNg5wnH2\Cookies\Chrome_Default.txtJump to behavior
              Source: Yara matchFile source: 0000000E.00000002.1648923319.0000000000ED1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 3308, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected RisePro Stealer
              Source: Yara matchFile source: 0000000E.00000002.1649769976.0000000005796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.1441139186.0000000000F28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.1649316109.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 4536, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 3308, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7112, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7264, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7620, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\EfSAyduNP94O7VkIcUcjXr_.zip, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		2
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              Scheduled Task/Job              		11
              Process Injection              		3
              Obfuscated Files or Information              		1
              Credentials In Files              		1
              Account Discovery              		Remote Desktop Protocol21
              Data from Local System              		21
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Scheduled Task/Job              		1
              Registry Run Keys / Startup Folder              		1
              Scheduled Task/Job              		2
              Software Packing              		Security Account Manager2
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Screen Capture              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		NTDS35
              System Information Discovery              		Distributed Component Object Model1
              Email Collection              		2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Masquerading              		LSA Secrets1
              Query Registry              		SSHKeylogging13
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts13
              Virtualization/Sandbox Evasion              		Cached Domain Credentials351
              Security Software Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
              Process Injection              		DCSync13
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
              System Network Configuration Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1460423 Sample: file.exe Startdate: 21/06/2024 Architecture: WINDOWS Score: 100 39 ipinfo.io 2->39 41 db-ip.com 2->41 49 Snort IDS alert for network traffic 2->49 51 Antivirus detection for URL or domain 2->51 53 Yara detected RisePro Stealer 2->53 55 4 other signatures 2->55 8 file.exe 1 12 2->8         started        13 MPGPH131.exe 5 55 2->13         started        15 RageMP131.exe 2 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 43 77.91.77.66, 49701, 49702, 49703 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 8->43 45 ipinfo.io 34.117.186.192, 443, 49704, 49706 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->45 47 db-ip.com 172.67.75.166, 443, 49705, 49708 CLOUDFLARENETUS United States 8->47 29 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->29 dropped 31 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->31 dropped 33 C:\Users\...\RageMP131.exe:Zone.Identifier, ASCII 8->33 dropped 35 C:\...\MPGPH131.exe:Zone.Identifier, ASCII 8->35 dropped 57 Query firmware table information (likely to detect VMs) 8->57 59 Found many strings related to Crypto-Wallets (likely being stolen) 8->59 61 Found stalling execution ending in API Sleep call 8->61 73 2 other signatures 8->73 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        37 C:\Users\user\...fSAyduNP94O7VkIcUcjXr_.zip, Zip 13->37 dropped 63 Multi AV Scanner detection for dropped file 13->63 65 Tries to steal Mail credentials (via file / registry access) 13->65 67 Machine Learning detection for dropped file 13->67 23 WerFault.exe 16 13->23         started        69 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->69 71 Tries to harvest and steal browser information (history, passwords, etc) 17->71 file6 signatures7 process8 process9 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.