Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1461913
MD5:	25b65b2ba97aed1e863cd281e0362f77
SHA1:	dda86428b789ab14ef7e98c474478bd0fd0b8840
SHA256:	ee85726eda426921bea54b277c97a67a84a79897f238633abf141815ba8bf0db
Tags:	exe
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected RisePro Stealer

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject threads in other processes

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 7488 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 25B65B2BA97AED1E863CD281E0362F77)

schtasks.exe (PID: 8092 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8140 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 2920 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7488 -s 1908 MD5: C31336C1EFC2CCB44B4326EA793040F2)

MPGPH131.exe (PID: 3488 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 25B65B2BA97AED1E863CD281E0362F77)

MPGPH131.exe (PID: 7208 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 25B65B2BA97AED1E863CD281E0362F77)

RageMP131.exe (PID: 5672 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 25B65B2BA97AED1E863CD281E0362F77)

RageMP131.exe (PID: 7520 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 25B65B2BA97AED1E863CD281E0362F77)

WerFault.exe (PID: 7900 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7520 -s 1756 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\kRsLnWC8nSKO7cxBB_GPBsv.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\4ML83FcuAgQz3IZIJQZt9jp.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.3990852443.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000002.4140603731.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000C.00000002.4193013523.0000000005921000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000C.00000003.4115689761.000000000591E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000002.4141399412.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 7488	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: file.exe PID: 7488	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 5672	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 7520	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 7520	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 7488, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Snort Signatures

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/24/24-19:25:41.283808
SID:	2046269
Source Port:	49738
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/24/24-19:26:10.710261
SID:	2046269
Source Port:	49741
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/24/24-19:25:38.596585
SID:	2046266
Source Port:	58709
Destination Port:	49744
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/24/24-19:25:49.515462
SID:	2046267
Source Port:	58709
Destination Port:	49744
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/24/24-19:23:28.476446
SID:	2049060
Source Port:	49738
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/24/24-19:25:33.081920
SID:	2046267
Source Port:	58709
Destination Port:	49741
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/24/24-19:25:30.520801
SID:	2046266
Source Port:	58709
Destination Port:	49741
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/24/24-19:23:40.001411
SID:	2046267
Source Port:	58709
Destination Port:	49738
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/24/24-19:25:41.518335
SID:	2046269
Source Port:	49744
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/24/24-19:23:29.079279
SID:	2046266
Source Port:	58709
Destination Port:	49738
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://77.91.77.81/cost/go.exe	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exe	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exe338	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/lenin.exe00.1	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/lenin.exe	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004C6B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,

0_2_004C6B00

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49746 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,	0_2_004C6000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	0_2_004E6770
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,	0_2_00493F40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	0_2_004DFF00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,	0_2_00431F9C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	0_2_00432022
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	0_2_004938D0

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49738 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49738
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49738 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49738
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49741
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49741
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49741 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49744
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49744 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49744

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 77.91.77.66 ports 0,5,7,8,58709,9

Source: global traffic

TCP traffic: 192.168.2.4:49738 -> 77.91.77.66:58709

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 104.26.5.15 104.26.5.15
Source: Joe Sandbox View	IP Address: 77.91.77.66 77.91.77.66

Source: Joe Sandbox View

ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004C8590 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,FreeAddrInfoW,WSACleanup,FreeAddrInfoW,

0_2_004C8590

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com

Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191930891.0000000000B5C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4115654237.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/cost/go.exe
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/cost/lenin.exe
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/cost/lenin.exe00.1
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/mine/amadka.exe
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/mine/amadka.exe338
Source: Amcache.hve.15.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe, 00000000.00000003.1730186616.0000000000B60000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.4131200239.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000009.00000002.4205214510.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2549100444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4205114478.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2551685082.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2625846209.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4205140259.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2705552575.0000000002510000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4181871534.000000000055D000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/G
Source: RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33
Source: RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.339
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33rHt
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33routz-
Source: file.exe, 00000000.00000002.4141399412.0000000000DF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/f
Source: RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/vR
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33
Source: file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000AF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/I
Source: file.exe, 00000000.00000002.4141399412.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/S~
Source: file.exe, 00000000.00000003.1730186616.0000000000B60000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.4131200239.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000009.00000002.4205214510.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2549100444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4205114478.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2551685082.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2625846209.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4205140259.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2705552575.0000000002510000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4181871534.000000000055D000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: file.exe, 00000000.00000002.4141399412.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4141399412.0000000000D80000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4226656501.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4226656501.0000000000D18000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33s
Source: file.exe, 00000000.00000002.4141399412.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
Source: file.exe, 00000000.00000003.3951277540.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mG
Source: file.exe, 00000000.00000003.3951277540.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.microsoft.
Source: file.exe, 00000000.00000003.3951277540.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.microsoft..
Source: D87fZN3R3jFeplaces.sqlite.12.dr	String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.12.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.12.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: file.exe, 00000000.00000003.3949358499.0000000000C24000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947298346.0000000000C04000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4108491697.000000000594B000.00000004.00000020.00020000.00000000.sdmp, AJtuLK1vTV6ZHistory.12.dr, 4eIBzLItYm9HHistory.12.dr, a5tnyiyBgaPrHistory.0.dr, 8NRYQ89STpI4History.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: AJtuLK1vTV6ZHistory.12.dr, 4eIBzLItYm9HHistory.12.dr, a5tnyiyBgaPrHistory.0.dr, 8NRYQ89STpI4History.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: file.exe, 00000000.00000003.3949358499.0000000000C24000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947298346.0000000000C04000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4108491697.000000000594B000.00000004.00000020.00020000.00000000.sdmp, AJtuLK1vTV6ZHistory.12.dr, 4eIBzLItYm9HHistory.12.dr, a5tnyiyBgaPrHistory.0.dr, 8NRYQ89STpI4History.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: AJtuLK1vTV6ZHistory.12.dr, 4eIBzLItYm9HHistory.12.dr, a5tnyiyBgaPrHistory.0.dr, 8NRYQ89STpI4History.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: file.exe, 00000000.00000003.3990852443.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4141399412.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4226656501.0000000000CFE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4193013523.0000000005921000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4115689761.000000000591E000.00000004.00000020.00020000.00000000.sdmp, kRsLnWC8nSKO7cxBB_GPBsv.zip.12.dr, 4ML83FcuAgQz3IZIJQZt9jp.zip.0.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: file.exe, 00000000.00000003.3990852443.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT&
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000A87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTV
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.12.dr, passwords.txt.0.dr	String found in binary or memory: https://t.me/risepro_bot
Source: RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot.com
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botrisep
Source: RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botrisepro
Source: file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: D87fZN3R3jFeplaces.sqlite.12.dr	String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.12.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: D87fZN3R3jFeplaces.sqlite.12.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/A
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/C
Source: file.exe, 00000000.00000003.3951277540.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3990852443.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3948383069.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3948602349.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947850574.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4193013523.0000000005902000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, 3b6N2Xdh3CYwplaces.sqlite.12.dr, D87fZN3R3jFeplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.12.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/H
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/J
Source: D87fZN3R3jFeplaces.sqlite.12.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/3
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/Dragon
Source: file.exe, 00000000.00000003.3951277540.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3990852443.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3948383069.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3948602349.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947850574.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4193013523.0000000005902000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, 3b6N2Xdh3CYwplaces.sqlite.12.dr, D87fZN3R3jFeplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.12.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/r

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49746 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044002D	0_2_0044002D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DF030	0_2_004DF030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0049F0D0	0_2_0049F0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004AA200	0_2_004AA200
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0049D3A0	0_2_0049D3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004963B0	0_2_004963B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00490440	0_2_00490440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DE430	0_2_004DE430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053F550	0_2_0053F550
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D7600	0_2_004D7600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004986B0	0_2_004986B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040B8E0	0_2_0040B8E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00458BB0	0_2_00458BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00481C10	0_2_00481C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004FAD00	0_2_004FAD00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00493F40	0_2_00493F40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0049AF60	0_2_0049AF60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DFF00	0_2_004DFF00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00493080	0_2_00493080
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004371A0	0_2_004371A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044036F	0_2_0044036F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A4320	0_2_004A4320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004845E0	0_2_004845E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042F580	0_2_0042F580
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A3610	0_2_004A3610
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005486C0	0_2_005486C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00547760	0_2_00547760
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E77E0	0_2_004E77E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004547BF	0_2_004547BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043C960	0_2_0043C960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043A928	0_2_0043A928
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044DA86	0_2_0044DA86
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004EEC40	0_2_004EEC40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004EFC40	0_2_004EFC40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00534D40	0_2_00534D40

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 0041ACE0 appears 85 times

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7488 -s 1908

Source: file.exe	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000003.3990331949.0000000004784000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedotnet.exe6 vs file.exe
Source: file.exe, 00000000.00000002.4131454189.0000000000598000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedotnet.exe6 vs file.exe
Source: file.exe, 00000000.00000002.4131377991.000000000058A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedotnet.exe6 vs file.exe
Source: file.exe, 00000000.00000003.1730229244.0000000000B60000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedotnet.exe6 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamedotnet.exe6 vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9987072394590294
Source: file.exe	Static PE information: Section: ZLIB complexity 0.9943462171052632
Source: file.exe	Static PE information: Section: ZLIB complexity 0.99267578125
Source: file.exe	Static PE information: Section: ZLIB complexity 1.0023871527777777
Source: file.exe	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9987072394590294
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9943462171052632
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.99267578125
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0023871527777777
Source: RageMP131.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9987072394590294
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9943462171052632
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.99267578125
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0023871527777777
Source: MPGPH131.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@13/56@3/3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,

0_2_004DFF00

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7520
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7488
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8100:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000003.1730186616.0000000000B60000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.4131200239.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000009.00000002.4205214510.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2549100444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4205114478.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2551685082.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2625846209.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4205140259.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2705552575.0000000002510000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4181871534.000000000055D000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000003.1730186616.0000000000B60000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.4131200239.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000009.00000002.4205214510.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2549100444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4205114478.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2551685082.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2625846209.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4205140259.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2705552575.0000000002510000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4181871534.000000000055D000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000003.3946946939.0000000000C5C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3946880676.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3946610816.0000000000C59000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4105410117.0000000005905000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106158216.0000000005905000.00000004.00000020.00020000.00000000.sdmp, yNHsMmvixazKLogin Data For Account.12.dr, XjpAQ5NNLFgdLogin Data For Account.0.dr, 3bUDfKkYHRRCLogin Data.0.dr, g4ngTia0RD8YLogin Data.12.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

ReversingLabs: Detection: 55%

Source: file.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7488 -s 1908
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7520 -s 1756
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: file.exe

Static file information: File size 5057040 > 1048576

Source: file.exe

Static PE information: Raw size of .themida is bigger than: 0x100000 < 0x41a000

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,

0_2_004CF280

Source: initial sample

Static PE information: section where entry point is pointing to: .themida

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .themida
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .themida
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .themida

Source: file.exe	Static PE information: section name: entropy: 7.9785339651284515
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.9785339651284515
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.9785339651284515

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\file.exe

Stalling execution: Execution stalls by calling Sleep

graph_0-47236

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\file.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	System information queried: FirmwareTableInformation	Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-47236

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-47347

Source: C:\Users\user\Desktop\file.exe TID: 7492	Thread sleep count: 47 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7492	Thread sleep count: 95 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 8188	Thread sleep count: 50 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7492	Thread sleep count: 173 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7492	Thread sleep count: 127 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4564	Thread sleep count: 95 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1196	Thread sleep count: 98 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1196	Thread sleep count: 54 > 30	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,	0_2_004C6000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	0_2_004E6770
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,	0_2_00493F40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	0_2_004DFF00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,	0_2_00431F9C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	0_2_00432022
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	0_2_004938D0

Source: C:\Users\user\Desktop\file.exe

0_2_004DFF00

Source: Amcache.hve.15.dr	Binary or memory string: VMware
Source: file.exe, 00000000.00000002.4141399412.0000000000D80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: MPGPH131.exe, 0000000A.00000002.4225445070.0000000000C17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__13N
Source: Amcache.hve.15.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4226656501.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RageMP131.exe, 0000000B.00000003.3744880885.0000000000D62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.15.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: RageMP131.exe, 0000000C.00000003.4115654237.0000000000B59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}sz
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000A80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&QI\|
Source: Amcache.hve.15.dr	Binary or memory string: vmci.sys
Source: RageMP131.exe, 0000000B.00000003.3744880885.0000000000D64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}a~
Source: RageMP131.exe, 0000000B.00000002.4226656501.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000SOR_IDENTIFIER=Intel64 Family
Source: Amcache.hve.15.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.15.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.15.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.15.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.15.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.15.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.15.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.15.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.15.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual USB Mouse
Source: RageMP131.exe, 0000000B.00000002.4226656501.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: Amcache.hve.15.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.15.dr	Binary or memory string: VMware, Inc.
Source: RageMP131.exe, 0000000C.00000003.3825714540.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.15.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.15.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.15.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe, 00000000.00000002.4140528595.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}iles\fqs92o4p.default-release\signons.sqlite-journal;8
Source: Amcache.hve.15.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RageMP131.exe, 0000000C.00000003.4115654237.0000000000B59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}/7rrP9UK+nYJkDUaruLFsmiax3GAXC2Igj63N1koqBHsy38rIIvg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*}
Source: file.exe, 00000000.00000002.4141399412.0000000000D20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&#
Source: Amcache.hve.15.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.15.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.15.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: RageMP131.exe, 0000000C.00000003.3825714540.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}sH\|
Source: Amcache.hve.15.dr	Binary or memory string: vmci.syshbin`
Source: MPGPH131.exe, 00000009.00000002.4226302910.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__m
Source: Amcache.hve.15.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.15.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MPGPH131.exe, 00000009.00000002.4226115563.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4225147379.0000000000A85000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: RageMP131.exe, 0000000C.00000002.4193013523.0000000005902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}es=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsww
Source: Amcache.hve.15.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: file.exe, 00000000.00000003.3958447503.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Cs
Source: file.exe, 00000000.00000002.4140528595.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J6HEdjEHUub5EtqTQ2dk3wwrCNfruTWZeEqONRrqgXAW0ke6pZXg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*.br,w
Source: RageMP131.exe, 0000000C.00000002.4193013523.0000000005932000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4E00BE1E
Source: RageMP131.exe, 0000000B.00000002.4226656501.0000000000D18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00438A64

Source: C:\Users\user\Desktop\file.exe

0_2_004CF280

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C6D80 mov eax, dword ptr fs:[00000030h]		0_2_004C6D80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00493F40 mov eax, dword ptr fs:[00000030h]		0_2_00493F40

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004E9A70 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,

0_2_004E9A70

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_0043451D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00438A64

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\file.exe

0_2_004CF280

Source: C:\Users\user\Desktop\file.exe	Code function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	0_2_004DFF00
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004531CA
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_0044B1B1
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_004532F3
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004533F9
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_004534CF
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_0044B734
Source: C:\Users\user\Desktop\file.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00452B5A
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00452D5F

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_004DFF00

Source: C:\Users\user\Desktop\file.exe

0_2_004DFF00

Source: C:\Users\user\Desktop\file.exe

0_2_004DFF00

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.15.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: 00000000.00000003.3990852443.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4140603731.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4193013523.0000000005921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.4115689761.000000000591E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4141399412.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 5672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7520, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\kRsLnWC8nSKO7cxBB_GPBsv.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\4ML83FcuAgQz3IZIJQZt9jp.zip, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000000.00000002.4141399412.0000000000DF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\walletsYMu
Source: file.exe, 00000000.00000003.3956116798.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: file.exe, 00000000.00000003.3956116798.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Jaxx\Local Storage*7
Source: file.exe, 00000000.00000003.3956116798.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: file.exe, 00000000.00000002.4141399412.0000000000D8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: file.exe, 00000000.00000003.3956116798.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: file.exe, 00000000.00000003.3956116798.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.jsonP
Source: file.exe, 00000000.00000002.4141399412.0000000000D8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: file.exe, 00000000.00000003.3956116798.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletses
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000A87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7520, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 00000000.00000003.3990852443.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4140603731.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4193013523.0000000005921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.4115689761.000000000591E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4141399412.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 5672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7520, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\kRsLnWC8nSKO7cxBB_GPBsv.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\4ML83FcuAgQz3IZIJQZt9jp.zip, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	11 Process Injection	2 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	2 Software Packing	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	35 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	351 Security Software Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	13 Virtualization/Sandbox Evasion	Cached Domain Credentials	13 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
file.exe