Windows Analysis Report
2zdult23rz.exe

Overview

General Information

Sample name:	2zdult23rz.exe renamed because original name is a hash value
Original sample name:	733c1261cf02626f2354e6339baa6717.exe
Analysis ID:	1434701
MD5:	733c1261cf02626f2354e6339baa6717
SHA1:	c9e3599e1d7983fa7439bf2ff122fd7e51a59b93
SHA256:	a14041622d7d427f0b7ea24efaa7e80a3b025c211273ce0914ee34b5e71bc8c4
Tags:	exe
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected RisePro Stealer

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject threads in other processes

Found API chain indicative of sandbox detection

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 2zdult23rz.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe

Avira: detection malicious, Label: HEUR/AGEN.1313019

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 81%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Virustotal: Detection: 77%	Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Virustotal: Detection: 77%	Perma Link

Multi AV Scanner detection for submitted file

Source: 2zdult23rz.exe	ReversingLabs: Detection: 81%
Source: 2zdult23rz.exe	Virustotal: Detection: 77%			Perma Link

Machine Learning detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 2zdult23rz.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004D1240 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,		0_2_004D1240
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004D1240 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,		9_2_004D1240

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\2zdult23rz.exe	Unpacked PE file: 0.2.2zdult23rz.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 10.2.MPGPH131.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 16.2.RageMP131.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 24.2.RageMP131.exe.400000.0.unpack

Uses 32bit PE files

Source: 2zdult23rz.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\2zdult23rz.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49718 version: TLS 1.2

Source:

Binary string: C:\dedazosole.pdb source: 2zdult23rz.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr

Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0044A4BD FindFirstFileExW,	0_2_0044A4BD
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004F2870 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	0_2_004F2870
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0042C82B FindClose,FindFirstFileExW,GetLastError,	0_2_0042C82B
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0042C8B1 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	0_2_0042C8B1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0044A4BD FindFirstFileExW,	9_2_0044A4BD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004F2870 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	9_2_004F2870
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0042C82B FindClose,FindFirstFileExW,GetLastError,	9_2_0042C82B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0042C8B1 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	9_2_0042C8B1

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.6:49699 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49699
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49699 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49700
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49701
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49700 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49701 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49709
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.6:49699
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.6:49700
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.6:49701
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.6:49709
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49709 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49711
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49711 -> 147.45.47.93:58709

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49699 -> 147.45.47.93:58709

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 147.45.47.93 147.45.47.93
Source: Joe Sandbox View	IP Address: 104.26.4.15 104.26.4.15

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

May check the online IP address of the machine

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_004D3150 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,freeaddrinfo,WSACleanup,freeaddrinfo,

0_2_004D3150

Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com

Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: 2zdult23rz.exe, 00000000.00000002.3357800955.0000000005CC3000.00000040.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3356779154.0000000005DF5000.00000040.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3356453066.0000000005C1A000.00000040.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3356388466.0000000005CCC000.00000040.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3357697042.0000000005D4D000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibD
Source: RageMP131.exe, 00000018.00000002.3357977475.0000000005EE0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044FD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.00000000044B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/89
Source: MPGPH131.exe, 0000000A.00000002.3355736939.00000000042F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/?
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.00000000044B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/I
Source: RageMP131.exe, 00000010.00000002.3355352428.00000000044B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/Or
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.00000000044B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/U
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/X9
Source: RageMP131.exe, 00000010.00000002.3355352428.00000000044B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96
Source: MPGPH131.exe, 0000000A.00000002.3355736939.00000000042F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.965
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96F5
Source: MPGPH131.exe, 0000000A.00000002.3355736939.00000000042F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96o#
Source: RageMP131.exe, 00000010.00000002.3355352428.00000000044B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/ur
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044FD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3355736939.00000000042F7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.00000000044B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=149.18.24.96
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.00000000044B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=149.18.24.968
Source: RageMP131.exe, 00000010.00000002.3355352428.000000000447C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: 2zdult23rz.exe, 00000000.00000003.2065919760.0000000006030000.00000004.00001000.00020000.00000000.sdmp, 2zdult23rz.exe, 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 2zdult23rz.exe, 00000000.00000002.3357963980.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3357144489.0000000005F90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2120691078.0000000006130000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.3356718132.0000000005F10000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3349162153.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2143542863.00000000060B0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3356555753.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000003.2249432581.0000000006040000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3349183258.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000001.2249277297.00000000004E6000.00000004.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000018.00000002.3349156812.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000018.00000003.2350560646.0000000006080000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3357977475.0000000005EE0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Content-Type:
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.00000000044A6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3355895754.00000000044E6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3355736939.00000000042EB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.00000000044A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: MPGPH131.exe, 0000000A.00000002.3355736939.00000000042B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/n
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.000000000445F000.00000004.00000020.00020000.00000000.sdmp, 2zdult23rz.exe, 00000000.00000002.3356067350.00000000044A6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3355895754.000000000448C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3355736939.00000000042EB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3355736939.000000000429F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.00000000044A5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.000000000445E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/149.18.24.96
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/149.18.24.96a
Source: MPGPH131.exe, 0000000A.00000002.3355736939.00000000042EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/149.18.24.96
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.00000000044A6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.00000000044A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/149.18.24.96B
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/149.18.24.96E
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.000000000442E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3355895754.000000000445E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3355736939.0000000004277000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.000000000442E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3356346368.00000000041D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.000000000442E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTX
Source: 2zdult23rz.exe, 2zdult23rz.exe, 00000000.00000003.2065919760.0000000006030000.00000004.00001000.00020000.00000000.sdmp, 2zdult23rz.exe, 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 2zdult23rz.exe, 00000000.00000002.3357963980.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000009.00000002.3357144489.0000000005F90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2120691078.0000000006130000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.3356718132.0000000005F10000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3349162153.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2143542863.00000000060B0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3356555753.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000003.2249432581.0000000006040000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3349183258.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000001.2249277297.00000000004E6000.00000004.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000018.00000002.3349156812.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000018.00000003.2350560646.0000000006080000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3357977475.0000000005EE0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49718 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_004F2150 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown,

0_2_004F2150

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000009.00000002.3356779154.0000000005DF5000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.3356453066.0000000005C1A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000018.00000002.3357697042.0000000005D4D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.3357800955.0000000005CC3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.3356718132.0000000005F10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000009.00000002.3357144489.0000000005F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000010.00000002.3356388466.0000000005CCC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000010.00000002.3356555753.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000018.00000002.3357977475.0000000005EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.3357963980.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Detected potential crypto function

Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004DF790	0_2_004DF790
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00453C30	0_2_00453C30
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0042A040	0_2_0042A040
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0044F050	0_2_0044F050
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0050D010	0_2_0050D010
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0052A080	0_2_0052A080
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004FC0A0	0_2_004FC0A0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004FB0A0	0_2_004FB0A0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_005040A0	0_2_005040A0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00510140	0_2_00510140
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00553170	0_2_00553170
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004371F0	0_2_004371F0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00541180	0_2_00541180
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_005041A0	0_2_005041A0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004351B8	0_2_004351B8
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00547260	0_2_00547260
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00506210	0_2_00506210
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00552230	0_2_00552230
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004D3280	0_2_004D3280
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0054E340	0_2_0054E340
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00448314	0_2_00448314
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00513320	0_2_00513320
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_005233F0	0_2_005233F0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0050E450	0_2_0050E450
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00453450	0_2_00453450
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004FF450	0_2_004FF450
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0050C410	0_2_0050C410
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0052E510	0_2_0052E510
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00502580	0_2_00502580
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_005145A0	0_2_005145A0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0050F620	0_2_0050F620
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004536D0	0_2_004536D0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0051E6F0	0_2_0051E6F0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00516730	0_2_00516730
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0043A8BD	0_2_0043A8BD
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004FC8B0	0_2_004FC8B0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004F3910	0_2_004F3910
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00506920	0_2_00506920
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_005209F0	0_2_005209F0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0054B990	0_2_0054B990
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00431A30	0_2_00431A30
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00504A90	0_2_00504A90
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00503BD0	0_2_00503BD0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00545BF0	0_2_00545BF0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0043ABFF	0_2_0043ABFF
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00553BB0	0_2_00553BB0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004FECA0	0_2_004FECA0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00506DD0	0_2_00506DD0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00552DC0	0_2_00552DC0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00420DB0	0_2_00420DB0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004FBE00	0_2_004FBE00
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00503E00	0_2_00503E00
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0044CEA1	0_2_0044CEA1
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00504FE0	0_2_00504FE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004DF790	9_2_004DF790
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00453C30	9_2_00453C30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0042A040	9_2_0042A040
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0044F050	9_2_0044F050
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0050D010	9_2_0050D010
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0052A080	9_2_0052A080
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004FC0A0	9_2_004FC0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004FB0A0	9_2_004FB0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_005040A0	9_2_005040A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00510140	9_2_00510140
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00553170	9_2_00553170
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004371F0	9_2_004371F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00541180	9_2_00541180
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_005041A0	9_2_005041A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004351B8	9_2_004351B8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00547260	9_2_00547260
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00506210	9_2_00506210
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00552230	9_2_00552230
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004D3280	9_2_004D3280
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0054E340	9_2_0054E340
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00448314	9_2_00448314
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00513320	9_2_00513320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_005233F0	9_2_005233F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0050E450	9_2_0050E450
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00453450	9_2_00453450
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004FF450	9_2_004FF450
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0050C410	9_2_0050C410
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0052E510	9_2_0052E510
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00502580	9_2_00502580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_005145A0	9_2_005145A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0050F620	9_2_0050F620
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004536D0	9_2_004536D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0051E6F0	9_2_0051E6F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00516730	9_2_00516730
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0043A8BD	9_2_0043A8BD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004FC8B0	9_2_004FC8B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004F3910	9_2_004F3910
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00506920	9_2_00506920
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_005209F0	9_2_005209F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0054B990	9_2_0054B990
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00431A30	9_2_00431A30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00504A90	9_2_00504A90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00503BD0	9_2_00503BD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00545BF0	9_2_00545BF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0043ABFF	9_2_0043ABFF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00553BB0	9_2_00553BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004FECA0	9_2_004FECA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00506DD0	9_2_00506DD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00552DC0	9_2_00552DC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00420DB0	9_2_00420DB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004FBE00	9_2_004FBE00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00503E00	9_2_00503E00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0044CEA1	9_2_0044CEA1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00504FE0	9_2_00504FE0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: String function: 00553960 appears 102 times
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: String function: 0042EC10 appears 54 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: String function: 00553960 appears 102 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: String function: 0042EC10 appears 54 times

One or more processes crash

Source: C:\Users\user\Desktop\2zdult23rz.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 860

Sample file is different than original file name gathered from version info

Source: 2zdult23rz.exe, 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 2zdult23rz.exe
Source: 2zdult23rz.exe, 00000000.00000003.2065919760.0000000006030000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 2zdult23rz.exe
Source: 2zdult23rz.exe, 00000000.00000000.2064681600.00000000040D8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFires( vs 2zdult23rz.exe
Source: 2zdult23rz.exe, 00000000.00000003.2092524094.00000000044A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFires( vs 2zdult23rz.exe
Source: 2zdult23rz.exe, 00000000.00000003.2091633716.00000000044A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFires( vs 2zdult23rz.exe
Source: 2zdult23rz.exe, 00000000.00000002.3357963980.0000000005E90000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 2zdult23rz.exe
Source: 2zdult23rz.exe	Binary or memory string: OriginalFilenameFires( vs 2zdult23rz.exe

Uses 32bit PE files

Source: 2zdult23rz.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000009.00000002.3356779154.0000000005DF5000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.3356453066.0000000005C1A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000018.00000002.3357697042.0000000005D4D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.3357800955.0000000005CC3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.3356718132.0000000005F10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000009.00000002.3357144489.0000000005F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000010.00000002.3356388466.0000000005CCC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000010.00000002.3356555753.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000018.00000002.3357977475.0000000005EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.3357963980.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@24/58@2/3

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_00551490 GetLastError,GetVersionExA,FormatMessageW,LocalFree,FormatMessageA,

0_2_00551490

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_00551220 GetVersionExA,CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA,

0_2_00551220

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_004F3910 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,

0_2_004F3910

Source: C:\Users\user\Desktop\2zdult23rz.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5980:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6024
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5092
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6080
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1948
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2996

Source: C:\Users\user\Desktop\2zdult23rz.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Jump to behavior

Source: C:\Users\user\Desktop\2zdult23rz.exe	Command line argument: N.E		0_2_00452DA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Command line argument: N.E		9_2_00452DA0

Source: 2zdult23rz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2zdult23rz.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2zdult23rz.exe, 2zdult23rz.exe, 00000000.00000003.2065919760.0000000006030000.00000004.00001000.00020000.00000000.sdmp, 2zdult23rz.exe, 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 2zdult23rz.exe, 00000000.00000002.3357963980.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000009.00000002.3357144489.0000000005F90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2120691078.0000000006130000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.3356718132.0000000005F10000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3349162153.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2143542863.00000000060B0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3356555753.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 2zdult23rz.exe, 00000000.00000003.2065919760.0000000006030000.00000004.00001000.00020000.00000000.sdmp, 2zdult23rz.exe, 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 2zdult23rz.exe, 00000000.00000002.3357963980.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3357144489.0000000005F90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2120691078.0000000006130000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.3356718132.0000000005F10000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3349162153.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2143542863.00000000060B0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3356555753.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: 2zdult23rz.exe	ReversingLabs: Detection: 81%
Source: 2zdult23rz.exe	Virustotal: Detection: 77%

Source: 2zdult23rz.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\2zdult23rz.exe

File read: C:\Users\user\Desktop\2zdult23rz.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\2zdult23rz.exe "C:\Users\user\Desktop\2zdult23rz.exe"
Source: C:\Users\user\Desktop\2zdult23rz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2zdult23rz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2zdult23rz.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 860
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 800
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 776
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 812
Source: C:\Users\user\Desktop\2zdult23rz.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 956
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 888
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 896
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 956
Source: C:\Users\user\Desktop\2zdult23rz.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 956
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 928
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 792
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 888
Source: C:\Users\user\Desktop\2zdult23rz.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 972
Source: C:\Users\user\Desktop\2zdult23rz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\2zdult23rz.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: 2zdult23rz.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\dedazosole.pdb source: 2zdult23rz.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\2zdult23rz.exe	Unpacked PE file: 0.2.2zdult23rz.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 10.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 16.2.RageMP131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 24.2.RageMP131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\2zdult23rz.exe	Unpacked PE file: 0.2.2zdult23rz.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 10.2.MPGPH131.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 16.2.RageMP131.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 24.2.RageMP131.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_004DB380 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,

0_2_004DB380

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0042E7E9 push ecx; ret	0_2_0042E7FC
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0040A943 pushad ; iretd	0_2_0040A947
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_05CC5793 pushad ; iretd	0_2_05CC57CA
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_05CC4641 push ebp; retf	0_2_05CC4646
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_05CC7B4C push eax; ret	0_2_05CC7BC0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_05CC7B6F push eax; ret	0_2_05CC7BC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0042E7E9 push ecx; ret	9_2_0042E7FC
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0040A943 pushad ; iretd	9_2_0040A947
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_05DF7793 pushad ; iretd	9_2_05DF77CA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_05DF6641 push ebp; retf	9_2_05DF6646
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_05DF9B4C push eax; ret	9_2_05DF9BC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_05DF9B6F push eax; ret	9_2_05DF9BC0

Drops PE files

Source: C:\Users\user\Desktop\2zdult23rz.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\2zdult23rz.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe			Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\2zdult23rz.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\2zdult23rz.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\2zdult23rz.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Sandbox detection routine: GetCursorPos, DecisionNode, Sleep
Source: C:\Users\user\Desktop\2zdult23rz.exe	Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\2zdult23rz.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,		0_2_0045A5C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,		9_2_0045A5C0

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\2zdult23rz.exe	Window / User API: threadDelayed 946	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 948	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 956	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1299	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1309

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Desktop\2zdult23rz.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\2zdult23rz.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\2zdult23rz.exe TID: 4236	Thread sleep count: 56 > 30	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe TID: 4236	Thread sleep count: 130 > 30	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe TID: 4236	Thread sleep count: 946 > 30	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe TID: 4236	Thread sleep time: -95546s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5996	Thread sleep count: 101 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2308	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5996	Thread sleep count: 948 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5996	Thread sleep time: -95748s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3108	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3108	Thread sleep count: 95 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6136	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3108	Thread sleep count: 956 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3108	Thread sleep time: -96556s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5056	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5056	Thread sleep count: 1299 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5056	Thread sleep time: -131199s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1372	Thread sleep count: 161 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1372	Thread sleep count: 1309 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1372	Thread sleep time: -132209s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\2zdult23rz.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\2zdult23rz.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00550DF0 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 00550E31h		0_2_00550DF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00550DF0 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 00550E31h		9_2_00550DF0

Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0044A4BD FindFirstFileExW,	0_2_0044A4BD
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004F2870 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	0_2_004F2870
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0042C82B FindClose,FindFirstFileExW,GetLastError,	0_2_0042C82B
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0042C8B1 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	0_2_0042C8B1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0044A4BD FindFirstFileExW,	9_2_0044A4BD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004F2870 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	9_2_004F2870
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0042C82B FindClose,FindFirstFileExW,GetLastError,	9_2_0042C82B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0042C8B1 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	9_2_0042C8B1

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_00452968 VirtualQuery,GetSystemInfo,

0_2_00452968

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.00000000044B1000.00000004.00000020.00020000.00000000.sdmp, 2zdult23rz.exe, 00000000.00000002.3356067350.0000000004482000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3355895754.00000000044FD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3355736939.00000000042F7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3355736939.00000000042C0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.0000000004481000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: RageMP131.exe, 00000018.00000002.3356346368.0000000004238000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: RageMP131.exe, 00000018.00000002.3356346368.0000000004221000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: RageMP131.exe, 00000018.00000002.3356346368.00000000041D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: RageMP131.exe, 00000018.00000002.3356346368.0000000004221000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: MPGPH131.exe, 00000009.00000003.2162421913.00000000044C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}q
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: MPGPH131.exe, 0000000A.00000002.3355736939.00000000042CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: RageMP131.exe, 00000018.00000002.3349068373.000000000019A000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000018.00000002.3356346368.00000000041D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}She
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: MPGPH131.exe, 0000000A.00000003.2168017060.00000000042D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MPGPH131.exe, 0000000A.00000002.3355736939.00000000042EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW#
Source: RageMP131.exe, 00000018.00000002.3356346368.0000000004221000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&S
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: RageMP131.exe, 00000010.00000002.3355352428.0000000004490000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: isk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: 2zdult23rz.exe, 00000000.00000003.2114743179.0000000004494000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
Source: RageMP131.exe, 00000010.00000002.3355352428.00000000044A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: RageMP131.exe, 00000018.00000002.3356346368.00000000041D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}8?

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\2zdult23rz.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_004332F4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_004332F4

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_00453C30 Sleep,GetCurrentProcess,SetPriorityClass,SetUnhandledExceptionFilter,SetThreadExecutionState,SetThreadExecutionState,LoadLibraryA,GetModuleFileNameA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,LoadLibraryA,CreateThread,FindCloseChangeNotification,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,SetCurrentDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,CreateThread,CreateThread,CreateThread,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep,

0_2_00453C30

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\2zdult23rz.exe

0_2_004DB380

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0045A5C0 mov eax, dword ptr fs:[00000030h]	0_2_0045A5C0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0045A5C0 mov eax, dword ptr fs:[00000030h]	0_2_0045A5C0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004DF790 mov ecx, dword ptr fs:[00000030h]	0_2_004DF790
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00453C30 mov eax, dword ptr fs:[00000030h]	0_2_00453C30
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00453C30 mov ecx, dword ptr fs:[00000030h]	0_2_00453C30
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004D3280 mov eax, dword ptr fs:[00000030h]	0_2_004D3280
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004D1380 mov eax, dword ptr fs:[00000030h]	0_2_004D1380
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004E2C80 mov eax, dword ptr fs:[00000030h]	0_2_004E2C80
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_05CC30A3 push dword ptr fs:[00000030h]	0_2_05CC30A3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0045A5C0 mov eax, dword ptr fs:[00000030h]	9_2_0045A5C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0045A5C0 mov eax, dword ptr fs:[00000030h]	9_2_0045A5C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004DF790 mov ecx, dword ptr fs:[00000030h]	9_2_004DF790
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00453C30 mov eax, dword ptr fs:[00000030h]	9_2_00453C30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00453C30 mov ecx, dword ptr fs:[00000030h]	9_2_00453C30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004D3280 mov eax, dword ptr fs:[00000030h]	9_2_004D3280
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004D1380 mov eax, dword ptr fs:[00000030h]	9_2_004D1380
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004E2C80 mov eax, dword ptr fs:[00000030h]	9_2_004E2C80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_05DF50A3 push dword ptr fs:[00000030h]	9_2_05DF50A3

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_004FA050 GetProcessHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_004FA050

Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00453C30 Sleep,GetCurrentProcess,SetPriorityClass,SetUnhandledExceptionFilter,SetThreadExecutionState,SetThreadExecutionState,LoadLibraryA,GetModuleFileNameA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,LoadLibraryA,CreateThread,FindCloseChangeNotification,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,SetCurrentDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,CreateThread,CreateThread,CreateThread,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep,	0_2_00453C30
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004332F4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004332F4
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0042EA14 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042EA14
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0042EDAD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0042EDAD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00453C30 Sleep,GetCurrentProcess,SetPriorityClass,SetUnhandledExceptionFilter,SetThreadExecutionState,SetThreadExecutionState,LoadLibraryA,GetModuleFileNameA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,LoadLibraryA,CreateThread,FindCloseChangeNotification,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,SetCurrentDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,CreateThread,CreateThread,CreateThread,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep,	9_2_00453C30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004332F4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_004332F4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0042EA14 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_0042EA14
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0042EDAD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0042EDAD

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004DB380 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,		0_2_004DB380
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004DB380 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,		9_2_004DB380

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_0042E615 cpuid

0_2_0042E615

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_0044D3EB
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: GetLocaleInfoW,	0_2_0044D5F0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: GetLocaleInfoEx,FormatMessageA,	0_2_0042C623
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: EnumSystemLocalesW,	0_2_0044D6E2
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: EnumSystemLocalesW,	0_2_0044D697
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: EnumSystemLocalesW,	0_2_0044D77D
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0044D808
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: EnumSystemLocalesW,	0_2_00445A41
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: GetLocaleInfoW,	0_2_0044DA5B
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0044DB84
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: GetLocaleInfoW,	0_2_0044DC8A
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0044DD60
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: GetLocaleInfoW,	0_2_00445FC4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	9_2_0044D3EB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	9_2_0044D5F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoEx,FormatMessageA,	9_2_0042C623
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	9_2_0044D6E2
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	9_2_0044D697
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	9_2_0044D77D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	9_2_0044D808
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	9_2_00445A41
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	9_2_0044DA5B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_0044DB84
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	9_2_0044DC8A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_0044DD60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	9_2_00445FC4

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\2zdult23rz.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_0043C1FB GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_0043C1FB

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_004479BE GetTimeZoneInformation,

0_2_004479BE

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_00551070 GetVersionExA,GetFileAttributesW,GetFileAttributesA,

0_2_00551070

Source: C:\Users\user\Desktop\2zdult23rz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: Process Memory Space: 2zdult23rz.exe PID: 1948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 2996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 5092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 6024, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: Process Memory Space: 2zdult23rz.exe PID: 1948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 2996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 5092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 6024, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
147.45.47.93	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
104.26.4.15	db-ip.com	United States	13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
ipinfo.io	34.117.186.192	true
db-ip.com	104.26.4.15	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/widget/demo/149.18.24.96	false		high
https://db-ip.com/demo/home.php?s=149.18.24.96	false		high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 2zdult23rz.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe

Avira: detection malicious, Label: HEUR/AGEN.1313019

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 81%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Virustotal: Detection: 77%	Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Virustotal: Detection: 77%	Perma Link

Multi AV Scanner detection for submitted file

Source: 2zdult23rz.exe	ReversingLabs: Detection: 81%
Source: 2zdult23rz.exe	Virustotal: Detection: 77%			Perma Link

Machine Learning detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 2zdult23rz.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004D1240 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,		0_2_004D1240
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004D1240 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,		9_2_004D1240

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\2zdult23rz.exe	Unpacked PE file: 0.2.2zdult23rz.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 10.2.MPGPH131.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 16.2.RageMP131.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 24.2.RageMP131.exe.400000.0.unpack

Uses 32bit PE files

Source: 2zdult23rz.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\2zdult23rz.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49718 version: TLS 1.2

Source:

Binary string: C:\dedazosole.pdb source: 2zdult23rz.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr

Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0044A4BD FindFirstFileExW,	0_2_0044A4BD
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004F2870 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	0_2_004F2870
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0042C82B FindClose,FindFirstFileExW,GetLastError,	0_2_0042C82B
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0042C8B1 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	0_2_0042C8B1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0044A4BD FindFirstFileExW,	9_2_0044A4BD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004F2870 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	9_2_004F2870
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0042C82B FindClose,FindFirstFileExW,GetLastError,	9_2_0042C82B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0042C8B1 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	9_2_0042C8B1

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.6:49699 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49699
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49699 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49700
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49701
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49700 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49701 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49709
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.6:49699
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.6:49700
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.6:49701
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.6:49709
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49709 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.6:49711
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49711 -> 147.45.47.93:58709

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49699 -> 147.45.47.93:58709

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 147.45.47.93 147.45.47.93
Source: Joe Sandbox View	IP Address: 104.26.4.15 104.26.4.15

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

May check the online IP address of the machine

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_004D3150 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,freeaddrinfo,WSACleanup,freeaddrinfo,

0_2_004D3150

Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com

Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: 2zdult23rz.exe, 00000000.00000002.3357800955.0000000005CC3000.00000040.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3356779154.0000000005DF5000.00000040.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3356453066.0000000005C1A000.00000040.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3356388466.0000000005CCC000.00000040.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3357697042.0000000005D4D000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibD
Source: RageMP131.exe, 00000018.00000002.3357977475.0000000005EE0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044FD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.00000000044B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/89
Source: MPGPH131.exe, 0000000A.00000002.3355736939.00000000042F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/?
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.00000000044B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/I
Source: RageMP131.exe, 00000010.00000002.3355352428.00000000044B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/Or
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.00000000044B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/U
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/X9
Source: RageMP131.exe, 00000010.00000002.3355352428.00000000044B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96
Source: MPGPH131.exe, 0000000A.00000002.3355736939.00000000042F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.965
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96F5
Source: MPGPH131.exe, 0000000A.00000002.3355736939.00000000042F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96o#
Source: RageMP131.exe, 00000010.00000002.3355352428.00000000044B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/ur
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044FD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3355736939.00000000042F7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.00000000044B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=149.18.24.96
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.00000000044B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=149.18.24.968
Source: RageMP131.exe, 00000010.00000002.3355352428.000000000447C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: 2zdult23rz.exe, 00000000.00000003.2065919760.0000000006030000.00000004.00001000.00020000.00000000.sdmp, 2zdult23rz.exe, 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 2zdult23rz.exe, 00000000.00000002.3357963980.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3357144489.0000000005F90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2120691078.0000000006130000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.3356718132.0000000005F10000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3349162153.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2143542863.00000000060B0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3356555753.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000003.2249432581.0000000006040000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3349183258.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000001.2249277297.00000000004E6000.00000004.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000018.00000002.3349156812.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000018.00000003.2350560646.0000000006080000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3357977475.0000000005EE0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Content-Type:
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.00000000044A6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3355895754.00000000044E6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3355736939.00000000042EB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.00000000044A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: MPGPH131.exe, 0000000A.00000002.3355736939.00000000042B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/n
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.000000000445F000.00000004.00000020.00020000.00000000.sdmp, 2zdult23rz.exe, 00000000.00000002.3356067350.00000000044A6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3355895754.000000000448C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3355736939.00000000042EB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3355736939.000000000429F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.00000000044A5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.000000000445E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/149.18.24.96
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/149.18.24.96a
Source: MPGPH131.exe, 0000000A.00000002.3355736939.00000000042EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/149.18.24.96
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.00000000044A6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.00000000044A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/149.18.24.96B
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/149.18.24.96E
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.000000000442E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3355895754.000000000445E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3355736939.0000000004277000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.000000000442E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3356346368.00000000041D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.000000000442E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTX
Source: 2zdult23rz.exe, 2zdult23rz.exe, 00000000.00000003.2065919760.0000000006030000.00000004.00001000.00020000.00000000.sdmp, 2zdult23rz.exe, 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 2zdult23rz.exe, 00000000.00000002.3357963980.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000009.00000002.3357144489.0000000005F90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2120691078.0000000006130000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.3356718132.0000000005F10000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3349162153.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2143542863.00000000060B0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3356555753.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000003.2249432581.0000000006040000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3349183258.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000001.2249277297.00000000004E6000.00000004.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000018.00000002.3349156812.0000000000400000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000018.00000003.2350560646.0000000006080000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3357977475.0000000005EE0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49718 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\2zdult23rz.exe

0_2_004F2150

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000009.00000002.3356779154.0000000005DF5000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.3356453066.0000000005C1A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000018.00000002.3357697042.0000000005D4D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.3357800955.0000000005CC3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.3356718132.0000000005F10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000009.00000002.3357144489.0000000005F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000010.00000002.3356388466.0000000005CCC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000010.00000002.3356555753.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000018.00000002.3357977475.0000000005EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.3357963980.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Detected potential crypto function

Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004DF790	0_2_004DF790
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00453C30	0_2_00453C30
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0042A040	0_2_0042A040
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0044F050	0_2_0044F050
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0050D010	0_2_0050D010
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0052A080	0_2_0052A080
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004FC0A0	0_2_004FC0A0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004FB0A0	0_2_004FB0A0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_005040A0	0_2_005040A0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00510140	0_2_00510140
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00553170	0_2_00553170
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004371F0	0_2_004371F0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00541180	0_2_00541180
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_005041A0	0_2_005041A0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004351B8	0_2_004351B8
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00547260	0_2_00547260
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00506210	0_2_00506210
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00552230	0_2_00552230
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004D3280	0_2_004D3280
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0054E340	0_2_0054E340
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00448314	0_2_00448314
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00513320	0_2_00513320
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_005233F0	0_2_005233F0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0050E450	0_2_0050E450
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00453450	0_2_00453450
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004FF450	0_2_004FF450
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0050C410	0_2_0050C410
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0052E510	0_2_0052E510
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00502580	0_2_00502580
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_005145A0	0_2_005145A0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0050F620	0_2_0050F620
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004536D0	0_2_004536D0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0051E6F0	0_2_0051E6F0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00516730	0_2_00516730
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0043A8BD	0_2_0043A8BD
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004FC8B0	0_2_004FC8B0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004F3910	0_2_004F3910
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00506920	0_2_00506920
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_005209F0	0_2_005209F0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0054B990	0_2_0054B990
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00431A30	0_2_00431A30
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00504A90	0_2_00504A90
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00503BD0	0_2_00503BD0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00545BF0	0_2_00545BF0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0043ABFF	0_2_0043ABFF
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00553BB0	0_2_00553BB0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004FECA0	0_2_004FECA0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00506DD0	0_2_00506DD0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00552DC0	0_2_00552DC0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00420DB0	0_2_00420DB0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004FBE00	0_2_004FBE00
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00503E00	0_2_00503E00
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0044CEA1	0_2_0044CEA1
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00504FE0	0_2_00504FE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004DF790	9_2_004DF790
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00453C30	9_2_00453C30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0042A040	9_2_0042A040
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0044F050	9_2_0044F050
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0050D010	9_2_0050D010
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0052A080	9_2_0052A080
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004FC0A0	9_2_004FC0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004FB0A0	9_2_004FB0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_005040A0	9_2_005040A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00510140	9_2_00510140
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00553170	9_2_00553170
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004371F0	9_2_004371F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00541180	9_2_00541180
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_005041A0	9_2_005041A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004351B8	9_2_004351B8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00547260	9_2_00547260
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00506210	9_2_00506210
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00552230	9_2_00552230
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004D3280	9_2_004D3280
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0054E340	9_2_0054E340
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00448314	9_2_00448314
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00513320	9_2_00513320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_005233F0	9_2_005233F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0050E450	9_2_0050E450
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00453450	9_2_00453450
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004FF450	9_2_004FF450
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0050C410	9_2_0050C410
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0052E510	9_2_0052E510
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00502580	9_2_00502580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_005145A0	9_2_005145A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0050F620	9_2_0050F620
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004536D0	9_2_004536D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0051E6F0	9_2_0051E6F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00516730	9_2_00516730
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0043A8BD	9_2_0043A8BD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004FC8B0	9_2_004FC8B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004F3910	9_2_004F3910
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00506920	9_2_00506920
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_005209F0	9_2_005209F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0054B990	9_2_0054B990
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00431A30	9_2_00431A30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00504A90	9_2_00504A90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00503BD0	9_2_00503BD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00545BF0	9_2_00545BF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0043ABFF	9_2_0043ABFF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00553BB0	9_2_00553BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004FECA0	9_2_004FECA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00506DD0	9_2_00506DD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00552DC0	9_2_00552DC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00420DB0	9_2_00420DB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004FBE00	9_2_004FBE00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00503E00	9_2_00503E00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0044CEA1	9_2_0044CEA1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00504FE0	9_2_00504FE0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: String function: 00553960 appears 102 times
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: String function: 0042EC10 appears 54 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: String function: 00553960 appears 102 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: String function: 0042EC10 appears 54 times

One or more processes crash

Source: C:\Users\user\Desktop\2zdult23rz.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 860

Sample file is different than original file name gathered from version info

Source: 2zdult23rz.exe, 00000000.00000002.3349183063.000000000058A000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 2zdult23rz.exe
Source: 2zdult23rz.exe, 00000000.00000003.2065919760.0000000006030000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 2zdult23rz.exe
Source: 2zdult23rz.exe, 00000000.00000000.2064681600.00000000040D8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFires( vs 2zdult23rz.exe
Source: 2zdult23rz.exe, 00000000.00000003.2092524094.00000000044A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFires( vs 2zdult23rz.exe
Source: 2zdult23rz.exe, 00000000.00000003.2091633716.00000000044A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFires( vs 2zdult23rz.exe
Source: 2zdult23rz.exe, 00000000.00000002.3357963980.0000000005E90000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs 2zdult23rz.exe
Source: 2zdult23rz.exe	Binary or memory string: OriginalFilenameFires( vs 2zdult23rz.exe

Uses 32bit PE files

Source: 2zdult23rz.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000009.00000002.3356779154.0000000005DF5000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.3356453066.0000000005C1A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000018.00000002.3357697042.0000000005D4D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.3357800955.0000000005CC3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.3356718132.0000000005F10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000009.00000002.3357144489.0000000005F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000010.00000002.3356388466.0000000005CCC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000010.00000002.3356555753.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000018.00000002.3357977475.0000000005EE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.3357963980.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@24/58@2/3

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_00551490 GetLastError,GetVersionExA,FormatMessageW,LocalFree,FormatMessageA,

0_2_00551490

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_00551220 GetVersionExA,CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA,

0_2_00551220

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_004F3910 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,

0_2_004F3910

Source: C:\Users\user\Desktop\2zdult23rz.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5980:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6024
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5092
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6080
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1948
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2996

Source: C:\Users\user\Desktop\2zdult23rz.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Jump to behavior

Source: C:\Users\user\Desktop\2zdult23rz.exe	Command line argument: N.E		0_2_00452DA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Command line argument: N.E		9_2_00452DA0

Source: 2zdult23rz.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2zdult23rz.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2zdult23rz.exe, 2zdult23rz.exe, 00000000.00000003.2065919760.0000000006030000.00000004.00001000.00020000.00000000.sdmp, 2zdult23rz.exe, 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 2zdult23rz.exe, 00000000.00000002.3357963980.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, MPGPH131.exe, 00000009.00000002.3357144489.0000000005F90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2120691078.0000000006130000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.3356718132.0000000005F10000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3349162153.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2143542863.00000000060B0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3356555753.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 2zdult23rz.exe, 00000000.00000003.2065919760.0000000006030000.00000004.00001000.00020000.00000000.sdmp, 2zdult23rz.exe, 00000000.00000002.3349183063.0000000000400000.00000040.00000001.01000000.00000003.sdmp, 2zdult23rz.exe, 00000000.00000002.3357963980.0000000005E90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3357144489.0000000005F90000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000003.2120691078.0000000006130000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3349156602.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000002.3356718132.0000000005F10000.00000040.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3349162153.0000000000400000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2143542863.00000000060B0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3356555753.0000000005DA0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: 2zdult23rz.exe	ReversingLabs: Detection: 81%
Source: 2zdult23rz.exe	Virustotal: Detection: 77%

Source: 2zdult23rz.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\2zdult23rz.exe

File read: C:\Users\user\Desktop\2zdult23rz.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\2zdult23rz.exe "C:\Users\user\Desktop\2zdult23rz.exe"
Source: C:\Users\user\Desktop\2zdult23rz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2zdult23rz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2zdult23rz.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 860
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 800
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 776
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 812
Source: C:\Users\user\Desktop\2zdult23rz.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 956
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 888
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 896
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 956
Source: C:\Users\user\Desktop\2zdult23rz.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 956
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 928
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 792
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 888
Source: C:\Users\user\Desktop\2zdult23rz.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1948 -s 972
Source: C:\Users\user\Desktop\2zdult23rz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\2zdult23rz.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: 2zdult23rz.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\dedazosole.pdb source: 2zdult23rz.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\2zdult23rz.exe	Unpacked PE file: 0.2.2zdult23rz.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 10.2.MPGPH131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 16.2.RageMP131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 24.2.RageMP131.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\2zdult23rz.exe	Unpacked PE file: 0.2.2zdult23rz.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 9.2.MPGPH131.exe.400000.0.unpack
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 10.2.MPGPH131.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 16.2.RageMP131.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 24.2.RageMP131.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\2zdult23rz.exe

0_2_004DB380

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0042E7E9 push ecx; ret	0_2_0042E7FC
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0040A943 pushad ; iretd	0_2_0040A947
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_05CC5793 pushad ; iretd	0_2_05CC57CA
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_05CC4641 push ebp; retf	0_2_05CC4646
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_05CC7B4C push eax; ret	0_2_05CC7BC0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_05CC7B6F push eax; ret	0_2_05CC7BC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0042E7E9 push ecx; ret	9_2_0042E7FC
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0040A943 pushad ; iretd	9_2_0040A947
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_05DF7793 pushad ; iretd	9_2_05DF77CA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_05DF6641 push ebp; retf	9_2_05DF6646
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_05DF9B4C push eax; ret	9_2_05DF9BC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_05DF9B6F push eax; ret	9_2_05DF9BC0

Drops PE files

Source: C:\Users\user\Desktop\2zdult23rz.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\2zdult23rz.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe			Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\2zdult23rz.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\2zdult23rz.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\2zdult23rz.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Sandbox detection routine: GetCursorPos, DecisionNode, Sleep
Source: C:\Users\user\Desktop\2zdult23rz.exe	Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\2zdult23rz.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,		0_2_0045A5C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,		9_2_0045A5C0

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\2zdult23rz.exe	Window / User API: threadDelayed 946	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 948	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 956	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1299	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1309

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Desktop\2zdult23rz.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\2zdult23rz.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\2zdult23rz.exe TID: 4236	Thread sleep count: 56 > 30	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe TID: 4236	Thread sleep count: 130 > 30	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe TID: 4236	Thread sleep count: 946 > 30	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe TID: 4236	Thread sleep time: -95546s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5996	Thread sleep count: 101 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2308	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5996	Thread sleep count: 948 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5996	Thread sleep time: -95748s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3108	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3108	Thread sleep count: 95 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6136	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3108	Thread sleep count: 956 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3108	Thread sleep time: -96556s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5056	Thread sleep count: 31 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5056	Thread sleep count: 1299 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5056	Thread sleep time: -131199s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1372	Thread sleep count: 161 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1372	Thread sleep count: 1309 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1372	Thread sleep time: -132209s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\2zdult23rz.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\2zdult23rz.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00550DF0 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 00550E31h		0_2_00550DF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00550DF0 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 00550E31h		9_2_00550DF0

Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0044A4BD FindFirstFileExW,	0_2_0044A4BD
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004F2870 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	0_2_004F2870
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0042C82B FindClose,FindFirstFileExW,GetLastError,	0_2_0042C82B
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0042C8B1 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	0_2_0042C8B1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0044A4BD FindFirstFileExW,	9_2_0044A4BD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004F2870 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	9_2_004F2870
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0042C82B FindClose,FindFirstFileExW,GetLastError,	9_2_0042C82B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0042C8B1 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	9_2_0042C8B1

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_00452968 VirtualQuery,GetSystemInfo,

0_2_00452968

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 2zdult23rz.exe, 00000000.00000002.3356067350.00000000044B1000.00000004.00000020.00020000.00000000.sdmp, 2zdult23rz.exe, 00000000.00000002.3356067350.0000000004482000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.3355895754.00000000044FD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3355736939.00000000042F7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.3355736939.00000000042C0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.00000000044B9000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.3355352428.0000000004481000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: RageMP131.exe, 00000018.00000002.3356346368.0000000004238000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: RageMP131.exe, 00000018.00000002.3356346368.0000000004221000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: RageMP131.exe, 00000018.00000002.3356346368.00000000041D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: RageMP131.exe, 00000018.00000002.3356346368.0000000004221000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: MPGPH131.exe, 00000009.00000003.2162421913.00000000044C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}q
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: MPGPH131.exe, 0000000A.00000002.3355736939.00000000042CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: RageMP131.exe, 00000018.00000002.3349068373.000000000019A000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000018.00000002.3356346368.00000000041D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}She
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: MPGPH131.exe, 0000000A.00000003.2168017060.00000000042D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MPGPH131.exe, 0000000A.00000002.3355736939.00000000042EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW#
Source: RageMP131.exe, 00000018.00000002.3356346368.0000000004221000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MPGPH131.exe, 00000009.00000002.3355895754.00000000044AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&S
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: RageMP131.exe, 00000010.00000002.3355352428.0000000004490000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: isk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: 2zdult23rz.exe, 00000000.00000003.2114743179.0000000004494000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.
Source: RageMP131.exe, 00000010.00000002.3355352428.00000000044A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: RageMP131.exe, 00000018.00000002.3356346368.00000000041D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}8?

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\2zdult23rz.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\2zdult23rz.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_004332F4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_004332F4

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\2zdult23rz.exe

0_2_00453C30

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\2zdult23rz.exe

0_2_004DB380

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0045A5C0 mov eax, dword ptr fs:[00000030h]	0_2_0045A5C0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0045A5C0 mov eax, dword ptr fs:[00000030h]	0_2_0045A5C0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004DF790 mov ecx, dword ptr fs:[00000030h]	0_2_004DF790
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00453C30 mov eax, dword ptr fs:[00000030h]	0_2_00453C30
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00453C30 mov ecx, dword ptr fs:[00000030h]	0_2_00453C30
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004D3280 mov eax, dword ptr fs:[00000030h]	0_2_004D3280
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004D1380 mov eax, dword ptr fs:[00000030h]	0_2_004D1380
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004E2C80 mov eax, dword ptr fs:[00000030h]	0_2_004E2C80
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_05CC30A3 push dword ptr fs:[00000030h]	0_2_05CC30A3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0045A5C0 mov eax, dword ptr fs:[00000030h]	9_2_0045A5C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0045A5C0 mov eax, dword ptr fs:[00000030h]	9_2_0045A5C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004DF790 mov ecx, dword ptr fs:[00000030h]	9_2_004DF790
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00453C30 mov eax, dword ptr fs:[00000030h]	9_2_00453C30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00453C30 mov ecx, dword ptr fs:[00000030h]	9_2_00453C30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004D3280 mov eax, dword ptr fs:[00000030h]	9_2_004D3280
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004D1380 mov eax, dword ptr fs:[00000030h]	9_2_004D1380
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004E2C80 mov eax, dword ptr fs:[00000030h]	9_2_004E2C80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_05DF50A3 push dword ptr fs:[00000030h]	9_2_05DF50A3

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_004FA050 GetProcessHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_004FA050

Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_00453C30 Sleep,GetCurrentProcess,SetPriorityClass,SetUnhandledExceptionFilter,SetThreadExecutionState,SetThreadExecutionState,LoadLibraryA,GetModuleFileNameA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,LoadLibraryA,CreateThread,FindCloseChangeNotification,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,SetCurrentDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,CreateThread,CreateThread,CreateThread,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep,	0_2_00453C30
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004332F4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004332F4
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0042EA14 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042EA14
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_0042EDAD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0042EDAD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00453C30 Sleep,GetCurrentProcess,SetPriorityClass,SetUnhandledExceptionFilter,SetThreadExecutionState,SetThreadExecutionState,LoadLibraryA,GetModuleFileNameA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,GetProcessId,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetThreadExecutionState,SetThreadExecutionState,LoadLibraryA,CreateThread,FindCloseChangeNotification,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,SetCurrentDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,CreateThread,CreateThread,CreateThread,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep,	9_2_00453C30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004332F4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_004332F4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0042EA14 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_0042EA14
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_0042EDAD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_0042EDAD

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: 0_2_004DB380 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,		0_2_004DB380
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_004DB380 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,		9_2_004DB380

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_0042E615 cpuid

0_2_0042E615

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_0044D3EB
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: GetLocaleInfoW,	0_2_0044D5F0
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: GetLocaleInfoEx,FormatMessageA,	0_2_0042C623
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: EnumSystemLocalesW,	0_2_0044D6E2
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: EnumSystemLocalesW,	0_2_0044D697
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: EnumSystemLocalesW,	0_2_0044D77D
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0044D808
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: EnumSystemLocalesW,	0_2_00445A41
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: GetLocaleInfoW,	0_2_0044DA5B
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0044DB84
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: GetLocaleInfoW,	0_2_0044DC8A
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0044DD60
Source: C:\Users\user\Desktop\2zdult23rz.exe	Code function: GetLocaleInfoW,	0_2_00445FC4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	9_2_0044D3EB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	9_2_0044D5F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoEx,FormatMessageA,	9_2_0042C623
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	9_2_0044D6E2
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	9_2_0044D697
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	9_2_0044D77D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	9_2_0044D808
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	9_2_00445A41
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	9_2_0044DA5B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_0044DB84
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	9_2_0044DC8A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_0044DD60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	9_2_00445FC4

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\2zdult23rz.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_0043C1FB GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_0043C1FB

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_004479BE GetTimeZoneInformation,

0_2_004479BE

Source: C:\Users\user\Desktop\2zdult23rz.exe

Code function: 0_2_00551070 GetVersionExA,GetFileAttributesW,GetFileAttributesA,

0_2_00551070

Source: C:\Users\user\Desktop\2zdult23rz.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: Process Memory Space: 2zdult23rz.exe PID: 1948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 2996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 5092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 6024, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: Process Memory Space: 2zdult23rz.exe PID: 1948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 6080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 2996, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 5092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 6024, type: MEMORYSTR

Windows Analysis Report
2zdult23rz.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1434701
Product:	CloudBasic
Start time:	16:39:23
Start date:	01.05.2024
Sample:	2zdult23rz.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	733c1261cf02626f2354e6339baa6717
SHA1:	c9e3599e1d7983fa7439bf2ff122fd7e51a59b93
SHA256:	a14041622d7d427f0b7ea24efaa7e80a3b025c211273ce0914ee34b5e71bc8c4
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\MPGPH131\MPGPH131.exe	PE32 executable (GUI) Intel 80386, for MS Windows	733C1261CF02626F2354E6339BAA6717	C9E3599E1D7983FA7439BF2FF122FD7E51A59B93	A14041622D7D427F0B7EA24EFAA7E80A3B025C211273CE0914EE34B5E71BC8C4
C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2zdult23rz.exe_11f98c9716fee19af49aa64de28cc82bb5ae24_9a0d6501_20878b5b-aecd-41dd-aadc-9fcebe731b12\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	6723DFE66B3266C2CB2C85AA6F29B6E9	8AF9C9B62187A181949F45CE72FE8EF2A5DC0047	22D8DDA8004E14B592D72FB9F07513E8C11B141CB3286AA7493100F21039E7AE
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2zdult23rz.exe_11f98c9716fee19af49aa64de28cc82bb5ae24_9a0d6501_777a93e1-5691-425a-8add-7dcc282e804c\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	7C047205FB8D80C8AF79B4A3F527E668	A388C989EAE1F55D51B893E8B3EBE97E26E73729	99A8D28304EE1A2E8D2043224617F54EF7888ABCCAE43109E9163C830D92D4F2
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2zdult23rz.exe_11f98c9716fee19af49aa64de28cc82bb5ae24_9a0d6501_ff6612eb-39b4-4539-8240-dd31e3304e2f\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	F140BBB3545697EC54F74FFC1F813B87	F8094F0533696FFFB54C05CDD0CC805D738A167E	C4AD585D896CDE106501CB81B8A097EDD3869866C002ABBA09E8B4228F0F0555
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2zdult23rz.exe_11f98c9716fee19af49aa64de28cc82bb5ae24_9a0d6501_fff45d40-3bb3-47f1-995f-427d72b5da7d\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	779FAE53544D7761A8352EDA81C3EF1F	ECC72FC5AAE3100AC495C3876212CD6DB00409AE	B625B3DB1E9BA59BAC39C1699F9AD2CDC397302E7FD7C2434DE409F3D8FFA648
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_66d9e27e738a68bc2f94c5d06af5b853bcdbaba2_05789ee0_07168908-1ada-4ad9-b8e0-75dfac6a4107\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	619606E51BB46BAD36FC541A7803C8ED	C7FED2801E2F903678781DED0FC066A718522F65	B6FC7985EA8B9EA5F1CA2AA781366144FEAAA8C7C7BBCA673538AD0E53FFD8C4
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_66d9e27e738a68bc2f94c5d06af5b853bcdbaba2_05789ee0_5a4466b5-e58c-4c08-94b8-4ada0870fa41\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	F91D51827D28DE25A951F5DEEEB6986B	AC20E740FE2352F16BD737EB6CED5D6C26C057F5	B63F20ECDE1E27F0BB492004231B74C0B7ED8B2A785C71C57040B8937558800C
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_66d9e27e738a68bc2f94c5d06af5b853bcdbaba2_05789ee0_79dfc724-9704-4183-b4b9-469da4028e4f\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	D5146F5B2C17EA09C9D754D8EE91C7E6	4013032101CB0596679A2E38534B7443469CE57F	1CE0C6056F7427025C71718FEC37BEC115117551D704BA6B5F326C1DFB463C6B
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_66d9e27e738a68bc2f94c5d06af5b853bcdbaba2_05789ee0_d7856789-e655-4e86-98a2-61bad8289a4e\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	AA27407294A5FCF5D9A6EE6739603735	DB7F54A96AD7E2FB8908652181E4BFB1E3AEEC95	30C8CD7DA2E8B351B9B3A94839713274BCE622A1186C6377FCB1FE183E0BEBB9
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_66d9e27e738a68bc2f94c5d06af5b853bcdbaba2_05789ee0_df7456cb-df9e-4b59-93ca-82804b0c1b09\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	36F465E0F61B0B46B26B6123562BFDF7	F434BEBBCF7A772E53D4ABBF614199F7F2E07ABC	B7009D2CD14760BD727514CA600779E35014EC5B82CD60140126B54A159AE7B2
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_66d9e27e738a68bc2f94c5d06af5b853bcdbaba2_05789ee0_f4c77b85-3516-4f65-b357-332c4a00e2d9\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	4AF21D15D9BD6DABE05E0DEE0943E66A	48C8F2B889986620335C0337ADC308463693F6D1	3C615B9F05CF836267BC3997802AB37C599451CC36DA7BA4082C9FDF5A22EF38
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RageMP131.exe_d88d6b71db8af1c4ceb4920f8ba97dccd2f8180_9f006fa9_1f2b9adf-cd60-4ea4-9ed5-476865d40b3f\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	49FE6F2F29BBA02657F9F444840AE947	3EB46BC5F74448033916E5A2DE186069F7AD51FD	25A280B8C1A097FDAEC654602A57E05C1CCCF9161821D529A0942833948CBBB6
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RageMP131.exe_d88d6b71db8af1c4ceb4920f8ba97dccd2f8180_9f006fa9_8da1b8ba-8b09-428f-ba51-74f2c7ba8b7d\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	8D27D6464FCA56641B04705372437AC3	26048CC4C4EACE6A55FDA198B4A590BA1F3870C6	AFCFFCADCE39C0F70AB5941C24FCE7AF393C8BFFAC739AA89FF608F6F679EA38
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RageMP131.exe_d88d6b71db8af1c4ceb4920f8ba97dccd2f8180_9f006fa9_b7bd9140-c855-4d7b-8dcf-9b68772ee563\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	DFD9FB88EAC3AE50DD67F8A229189769	2634436994DAA32640524FC80EEEBCF4D5E10C5E	85232F3C1F3472B59266E303578D160A1DBBBF997AAFAC5109C0CF61D5C581D1
C:\ProgramData\Microsoft\Windows\WER\Temp\WER136.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	7E76A23C1A6FF876D79003C25D1A5BC8	4F95133A2571621FD7745A0BFA33D27B27403C34	259AE2B083D26B40A45AF67ADCBF913B34B2B821E62DA43E4B1C21D3F70135FF
C:\ProgramData\Microsoft\Windows\WER\Temp\WER156.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	769EFF6B5C40C2712D988A86CF294384	623381F02D626304BE4EE1B8982052C0AFE027EE	301418C8B9F9BD8BEA0620F1A86A3CAFB09C3B2E49634859351B217616D4214E
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B04.tmp.dmp	Mini DuMP crash report, 15 streams, Wed May 1 14:40:27 2024, 0x1205a4 type	9F76CA39FB9D899E719D15D2BE646B0E	1FCD35279CCCB8F4532C0F34A1AA18FCB8227EC9	6C001553473D637CE3D1D5E4E6CF15CDF7842246E2D19450E02EA1267E63894D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2BA2.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	D906F905A024F375296DCE602EF04749	739B5D4DF29CFDD9A384D5B27CEC1379885899F6	BB576BECB72C1BACA00262E18A5ED41CBA6A1A6503345537B3FD53FBA4752AB4
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2BD1.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	0858802352B28DBC69D891FC8B70ADC9	882AA8680B09C3B768D44548FD99DE2F2DCA03E3	0E6D4AFE9200F88A63F02BA918737E24A629E45D58D287E445A1F45AD1C35F17
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4524.tmp.dmp	Mini DuMP crash report, 15 streams, Wed May 1 14:40:35 2024, 0x1205a4 type	020FD1C5E75D0B7EF2C1A9DA12006C15	8E8056822D28CD6C154509EF4D468C749A792316	0879BC716021FEED75FD1DD556A117C08E954EE7093E148C6F2A6023306F96A8
C:\ProgramData\Microsoft\Windows\WER\Temp\WER498A.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	F88464A339CD22349096C1E23FA8BCE6	EAD9BC693A25AD07DB24351A41C3E3A8C5B552D3	F6DC9A40E1858C20047870EEA3B0F94D2546D5C43F6AC3A0A2B48DFA0A7ADB1C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4AA4.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	7447152905ED15904182157E66E58F3F	823BBE02004838159C7FEFB7A950C30899C300D1	C1EED0E1F1C0BFDEA95201509DAE5AD2558B60DCD9E4ECCD143166C2D46FAB1F
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4C29.tmp.dmp	Mini DuMP crash report, 15 streams, Wed May 1 14:40:36 2024, 0x1205a4 type	E213CE1A7AAF99E6D03BDAB811B233E0	1B1C2D16AD5C890B99CD418B47A5C0633511FBD9	3E194C94B66ED1A6DBA0D42909C9E2CBB1FF94C09D504526D2064F49BEA778CC
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4C77.tmp.dmp	Mini DuMP crash report, 15 streams, Wed May 1 14:40:36 2024, 0x1205a4 type	B66FCA5A846FF0E8C7E0D19AFDC1CABC	B37C9BB39E2CCD1AF5DEF15939BFE9402B8CA0AE	F92639D17F30CFFDE5D43218B4E340073703CF470B5CD07BE25C89FACEA998E1
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E2D.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	36CE52E236715C4368CF1A9C241D4D23	DD958B52602CC54D6A03FCC95EBEF7AC6D53D161	2083766314C5E20FC92B51F19731CF0E4DB1F915134DD0E3BEF4B3C836053F02
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E5B.tmp.dmp	Mini DuMP crash report, 15 streams, Wed May 1 14:40:37 2024, 0x1205a4 type	E6321AD28467981F43F7BC28F12C7403	FF6D456222F0E9E7C20386E2A55CE72903A644F8	D35CF7BFABA7796683E046E9A8A76253C7560130F171F1DFDAEEB0E43D584771
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E5C.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	5C666647FD7843C132C33BEAD56A461C	42071D8306E6E21D4FB0EB488AC5F5794EFB3767	6A6CD03E91D04B29BF8F3B73F6CEB40C2ED7DA2A6093ED2D4305499DE372F4FF
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E7C.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	7B6053A284656AC46EE8DB84F4D8BA7D	A4AFBF83A31F993397E53F69290B89E692F9A32C	5D05525A4FEF752F4C2D5E533BB8D42D3BBE3958885872FE175029ED4827BE29
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4F28.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	D3137B0EBAF01386BB46786487CF6779	C45DE479B5A9570690BD29C7000682E7D4409711	E8586E4E31670841E054A62D04831383084F0594E2B9D5448D682FA71ABBF826
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5012.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	3777355B26F0585DB6AF71741C0D87EC	330450EEAD047A29932F077C6C22E5FD4F850020	D9303212475EBC636E35C773B53DA3D0C4D70E2D0F8AECD29D9F02573A8C1B69
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5090.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	B96B39D7D76FDEA475FB5E231DC80E31	120192DBE4AD4950809279D7DA6CB4E606899DCF	29954F63A8C7F738962B7A26DE34911167CA66D3AC9894CF761745E24AC1E8D8
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6445.tmp.dmp	Mini DuMP crash report, 15 streams, Wed May 1 14:40:44 2024, 0x1205a4 type	DDEFF98E8E9F704CC7767819034EADFC	40A5007B5843243B5329A7D67FE05BAA96BE3598	AE06BDF1668EF1CB7EC723A0A20AAC9C5DE6568EB3A5DF17368F134E8FF77DC8
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C06.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	8F4233CC6ADE4450B3A0B69F603BBEAF	3EFCCB3F31CC9D9740CFD47A940EBD92A6023AB7	D2E0219E48E9A1D39273033A31A8EACDBDF83B0C6E1E44169D60D53F9AA4E08B
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6CC2.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	D5017D87A4D223CA763191606A234362	0E3DE4B0E5DC1CA2F847AE501096552A141DC487	5188CF6CAFBFA12BA3C5F76278432A60DA2D593364FAA61E5EBE7D12B757473D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER706A.tmp.dmp	Mini DuMP crash report, 15 streams, Wed May 1 14:40:46 2024, 0x1205a4 type	AC0A05FFAFA2F0C07F1DC9981A4E73FC	F24C6E0356B50DF3E742562BA87E5B204D745D69	DDCECF87A82399A7B690F8FAF562314472AB40F8A9FA5D9CD5AAEB2082AD951B
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7125.tmp.dmp	Mini DuMP crash report, 15 streams, Wed May 1 14:40:45 2024, 0x1205a4 type	5B58179CB24D5B9A2A71B7EEDFD30911	40AD0C5BCADECDD5182F79B16BA8B616274472E1	148A90D291C4942C124D5B7C3E57B9208B2AE0D2BD912AC2B3CD51E57610C306
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7174.tmp.dmp	Mini DuMP crash report, 15 streams, Wed May 1 14:40:46 2024, 0x1205a4 type	2FC8ED14A1266082BF8830915F4BEA22	DB9F314F346979A31983BFDF0003CC8FFF639B57	17A0CFAED22A95435C97D9968107E6F38C3BFB6D6F88093C89652C0D8A413B08
C:\ProgramData\Microsoft\Windows\WER\Temp\WER729D.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	6D75F8A040F8762ECBFB8A89EBB7979E	639325662E55A075EB503BC655205260D1FAC428	789651D3CFEB73C4D9F2CFE200DEAB9774590B67E6B4183504A31BA8EB42E5EC
C:\ProgramData\Microsoft\Windows\WER\Temp\WER72ED.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	2FB60D7DBD7D1E5D0FC9686FEA769C36	A85A651D8E1A6F9297FF6C4D173D2C75B0F6A75C	8E89F541BA98D851846AAEF3FDC5E9711F7E069B1EC1F8E73F3660DB4B90CC38
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7359.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	4CCF1628A9765FA0D86AE06912B4296C	C90A3479E550C541D86A34F46D7E7EC9A549C92A	4C5C33573465257921CDFC409F36813053EBFC25A365CE304132BB862AADAD1F
C:\ProgramData\Microsoft\Windows\WER\Temp\WER73D7.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	1BC5227BD8B90A3E24D6E49451F6CE58	85E8F45255FFE194F0E7E606B2868F73F807327F	BB3B6D003D35E43A782BBBB63543803491D58A5B86A19F92E8491A5BEF806DA8
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7424.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	B9F0E9F9F1042F55DC959765A7C16CA2	09E6A89A31742A542014A82ADD5C2D3FD5D4FC93	BAA47A89A8360E6EF3BA340C4F7287AEEEBCEF621D14780EECABA0D774D948BB
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7473.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	C02ACCE3E6BFD668A9FDFB1F2B861D55	CB4713828B6DCF45A81C088D325D07CAD4CAC2F5	B1F4B735811FC618D53825F6666E33621CF68427545EB698EBB937AB403E5C08
C:\ProgramData\Microsoft\Windows\WER\Temp\WER751D.tmp.dmp	Mini DuMP crash report, 15 streams, Wed May 1 14:40:47 2024, 0x1205a4 type	4E134B4153B8F300CC6F2B565283F7B9	303A9951B5007EE0F2D930B6CC6F3FF51A6D7248	885CF1810BE71D5FB83C695E422C86C378E9C8D0F8E4552DE6B53393C6F1E69C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D1D.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	2BCA9ADDF49E3C1BF28FEED5B42E2AB3	CC000E7BE2E29919E0E9BB2AA35B393887A19A41	311098C3705FBCA605BFAB4D89FBB1F5B6DBDF822FD9730D9C9CD61D12D9B359
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7DAB.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	EAE8A99E4CB0C880EE9EF5F7038647AA	C89232AE5C189DB354CDC345CFA336F8DC791D22	CC06D40DDF7B034B661A325DAF719CB9F69F37A2B6747829ECB05210674EDE1F
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8.tmp.dmp	Mini DuMP crash report, 15 streams, Wed May 1 14:40:17 2024, 0x1205a4 type	33DAC73DC6E4697D5FA43A16AE7E8832	295EBA3609FF7B4F6E260AD671CA517720567CAF	CC9D8C9BA4DE38CF63059DFD3FB86A2A13389AAEE0BE86AF43141FD629354726
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREC07.tmp.dmp	Mini DuMP crash report, 15 streams, Wed May 1 14:40:11 2024, 0x1205a4 type	02536188F269630545ACA5909932716F	4DF8F42C154E880E5EE87A531FC53851EA01357D	EAF503A8B1202B1632F1EB2547DAEB76EF6B7147F45F509C13533E0B265896BA
C:\ProgramData\Microsoft\Windows\WER\Temp\WERECC4.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	E04E8EFBE425377DC1B4EB831D90891B	6368DA57A9D6EC043CD74DB7963C96EF939686A3	E4D020CCC9DA235CBA9664C1E2BD96A73E8A8E8666C5469368DDB5B954F6B0BD
C:\ProgramData\Microsoft\Windows\WER\Temp\WERED23.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	72306B7F839B296F52FB9A3C3890804C	B5E4427E0CD19A17649DEB414E707A1C4F6C9754	699242D4CCC2C985BCA216314FA76BB97986C02E1BAEC23970BACF92EF111406
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE47.tmp.dmp	Mini DuMP crash report, 15 streams, Wed May 1 14:40:16 2024, 0x1205a4 type	FDE1CF3A256FAFF54177A4D561129CBC	2DDE2BF76653FE3E1D484B58813E4E89C7356655	561F1F90C3DE460779A31EA09E5A814DF616CE76C0B4EFFCE71AD76A4C9CCFB3
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFF61.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	D745CA2E2AF5E7B8E176BF91B736CE93	4C61D58E768B9CC7D67BEBD9B269BAB38430B900	7DD75B651510A306133350044DC80FBC1690EDFB0DB8B255D49AB97A3D299F7D
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFFA1.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	306F3611C35635EB0FFBC1A2CAA437A9	7EDC9AF4FCC012779AA2A4BD1FD46B12A5744F8F	9F62EB8B8C6F7211B184087929AFC90858CE2A1D1289AC3131903304E7158E81
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	PE32 executable (GUI) Intel 80386, for MS Windows	733C1261CF02626F2354E6339BAA6717	C9E3599E1D7983FA7439BF2FF122FD7E51A59B93	A14041622D7D427F0B7EA24EFAA7E80A3B025C211273CE0914EE34B5E71BC8C4
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Temp\rage131MP.tmp	ASCII text, with no line terminators	144CC877A0C2CF482E7AE4DE9BEA10C0	F8AA8CE7E90D15065A8AEEC9FDC9F8CA526F6A01	E07A83F90C72C98A0EC4CF4078C41AA6F25816B691B1A13E6ACECE56DA619DDE
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	BB8CCCD2FB008F2664DCD620A6C60DBE	AB360B649411C223B7FD3B9F63B94BBB15C4E871	8CD83EF4615C3EA25AA8142353562748DB7150A18D1B11086DE9F7B04B337BAE

Windows Analysis Report 2zdult23rz.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
2zdult23rz.exe