Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1436950
MD5:51014f1c86736d8f91d432548062ebbf
SHA1:6d0bab0a443ff43c293f57dface65dfea47501a9
SHA256:1845d2a25b628c6ff5e489f83ff975a0c8140bbeeb8ea05f5404a45ee2f9c7ea
Tags:exe
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has nameless sections
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7428 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 51014F1C86736D8F91D432548062EBBF)
    • schtasks.exe (PID: 7488 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7536 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 7324 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7428 -s 1980 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 7584 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 51014F1C86736D8F91D432548062EBBF)
    • WerFault.exe (PID: 2816 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 1960 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 7592 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 51014F1C86736D8F91D432548062EBBF)
  • RageMP131.exe (PID: 7672 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 51014F1C86736D8F91D432548062EBBF)
    • WerFault.exe (PID: 8136 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7672 -s 1944 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • RageMP131.exe (PID: 7784 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 51014F1C86736D8F91D432548062EBBF)
    • WerFault.exe (PID: 6536 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 1908 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\wwigCWSFuz2MihL8u4G1uFC.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    C:\Users\user\AppData\Local\Temp\9wBRx7ST9VOnJqni_JpioUs.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
      C:\Users\user\AppData\Local\Temp\tC131VXqxqwXyoqOe7muh9i.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
        C:\Users\user\AppData\Local\Temp\PSdiYEtw_DOSPKoK_uBheap.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000005.00000002.2173403489.0000000001838000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
            00000000.00000002.2023815185.0000000001CEC000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
              00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                00000000.00000003.1907164226.0000000001CE6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                  00000007.00000002.2022464307.000000000191E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                    Click to see the 16 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 7428, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

                    Snort Signatures

                    Timestamp:05/06/24-20:08:42.332746
                    SID:2046269
                    Source Port:49731
                    Destination Port:58709
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/06/24-20:08:11.803337
                    SID:2046267
                    Source Port:58709
                    Destination Port:49730
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/06/24-20:07:53.913307
                    SID:2046266
                    Source Port:58709
                    Destination Port:49730
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/06/24-20:07:57.036164
                    SID:2046269
                    Source Port:49730
                    Destination Port:58709
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/06/24-20:07:53.682907
                    SID:2049060
                    Source Port:49730
                    Destination Port:58709
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/06/24-20:08:04.120685
                    SID:2046266
                    Source Port:58709
                    Destination Port:49733
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/06/24-20:08:05.646832
                    SID:2046267
                    Source Port:58709
                    Destination Port:49733
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/06/24-20:07:56.321028
                    SID:2046266
                    Source Port:58709
                    Destination Port:49732
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/06/24-20:08:18.051763
                    SID:2046269
                    Source Port:49738
                    Destination Port:58709
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/06/24-20:07:56.309289
                    SID:2046266
                    Source Port:58709
                    Destination Port:49731
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/06/24-20:08:11.640975
                    SID:2046266
                    Source Port:58709
                    Destination Port:49738
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/06/24-20:08:15.381006
                    SID:2046267
                    Source Port:58709
                    Destination Port:49731
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/06/24-20:08:11.897367
                    SID:2046267
                    Source Port:58709
                    Destination Port:49738
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/06/24-20:08:09.259896
                    SID:2046269
                    Source Port:49733
                    Destination Port:58709
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/06/24-20:08:30.364347
                    SID:2046269
                    Source Port:49732
                    Destination Port:58709
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: http://147.45.47.102:57893/hera/amadka.exeAvira URL Cloud: Label: malware
                    Multi AV Scanner detection for domain / URL
                    Source: http://147.45.47.102:57893/hera/amadka.exeVirustotal: Detection: 19%Perma Link
                    Source: http://193.233.132.56/cost/lenin.exeseproVirustotal: Detection: 21%Perma Link
                    Source: http://147.45.47.102:57893/hera/amadka.exe68.0Virustotal: Detection: 15%Perma Link
                    Source: http://193.233.132.56/cost/go.exe00.1Virustotal: Detection: 18%Perma Link
                    Source: http://193.233.132.56/cost/go.exeVirustotal: Detection: 25%Perma Link
                    Source: http://147.45.47.102:57893/hera/amadka.exeNVirustotal: Detection: 18%Perma Link
                    Source: http://193.233.132.56/cost/lenin.exeVirustotal: Detection: 26%Perma Link
                    Multi AV Scanner detection for dropped file
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeReversingLabs: Detection: 39%
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeVirustotal: Detection: 39%Perma Link
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeReversingLabs: Detection: 39%
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeVirustotal: Detection: 39%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: file.exeVirustotal: Detection: 38%Perma Link
                    Source: file.exeReversingLabs: Detection: 39%
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJoe Sandbox ML: detected
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: file.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01036A80 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_003A6A80 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49734 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49735 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49742 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49744 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49745 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49747 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49748 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49749 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49750 version: TLS 1.2
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010566F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01035F80 FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA1F9C FindClose,FindFirstFileExW,GetLastError,
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0104FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01003EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA2022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01003850 FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_003C66F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_003BFE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00373EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00311F9C FindClose,FindFirstFileExW,GetLastError,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_003A5F80 FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00312022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00373850 FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                    Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_751fa919568148cae58711204775ef674bafd71f_50e30abd_2c1d9ae0-1b69-4126-ae64-d738448a55b5\
                    Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
                    Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\
                    Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RageMP131.exe_d8cfe4b0b9575b2ab71f14e55e4d6484872cb94_df5fde7b_aa9d6a92-8d2d-4559-99fe-1b134b7dfc56\
                    Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\
                    Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49730 -> 147.45.47.93:58709
                    Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49730
                    Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49731
                    Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49732
                    Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49730 -> 147.45.47.93:58709
                    Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49731 -> 147.45.47.93:58709
                    Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49732 -> 147.45.47.93:58709
                    Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49733
                    Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49733
                    Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49733 -> 147.45.47.93:58709
                    Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49738
                    Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49730
                    Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49738
                    Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49731
                    Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49738 -> 147.45.47.93:58709
                    Connects to many ports of the same IP (likely port scanning)
                    Source: global trafficTCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
                    Source: global trafficTCP traffic: 192.168.2.4:49730 -> 147.45.47.93:58709
                    Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                    Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                    Source: Joe Sandbox ViewIP Address: 147.45.47.93 147.45.47.93
                    Source: Joe Sandbox ViewIP Address: 104.26.5.15 104.26.5.15
                    Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
                    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                    Source: unknownDNS query: name: ipinfo.io
                    Source: unknownDNS query: name: ipinfo.io
                    Source: global trafficHTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                    Source: global trafficHTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                    Source: global trafficHTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                    Source: global trafficHTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                    Source: global trafficHTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                    Source: global trafficHTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                    Source: global trafficHTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                    Source: global trafficHTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                    Source: global trafficHTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                    Source: global trafficHTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.93
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F880A0 recv,
                    Source: global trafficHTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                    Source: global trafficHTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                    Source: global trafficHTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                    Source: global trafficHTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                    Source: global trafficHTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                    Source: global trafficHTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                    Source: global trafficHTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                    Source: global trafficHTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                    Source: global trafficHTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                    Source: global trafficHTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                    Source: global trafficDNS traffic detected: DNS query: ipinfo.io
                    Source: global trafficDNS traffic detected: DNS query: db-ip.com
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874348802.0000000001A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
                    Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe68.0
                    Source: RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874348802.0000000001A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeD)a#
                    Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeData
                    Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeDatae
                    Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeN
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeletsM
                    Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/cost/go.exe
                    Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/cost/go.exe00.1
                    Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/cost/go.exe1
                    Source: RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/cost/go.execoin
                    Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/cost/lenin.exe
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/cost/lenin.exe)
                    Source: RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/cost/lenin.exeUser
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/cost/lenin.exerbirdox/i
                    Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/cost/lenin.exesepro
                    Source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.drString found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
                    Source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.drString found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
                    Source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.drString found in binary or memory: http://pki-ocsp.symauth.com0
                    Source: Amcache.hve.18.drString found in binary or memory: http://upx.sf.net
                    Source: file.exe, 00000000.00000002.2021619357.0000000000F71000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170553211.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119820314.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020629490.0000000000611000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014597460.0000000000611000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
                    Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/
                    Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=84.17.40.101
                    Source: MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=84.17.40.101(
                    Source: MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=84.17.40.101D
                    Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=84.17.40.101c
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=84.17.40.101g
                    Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=84.17.40.101s
                    Source: MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/ggg
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.0000000001647000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=84.17.40.101
                    Source: RageMP131.exe, 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=84.17.40.101e
                    Source: MPGPH131.exe, 00000005.00000002.2173403489.000000000174D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=84.17.40.101o
                    Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: RageMP131.exe, 00000008.00000002.2015798047.000000000199B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001963000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C71000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
                    Source: file.exe, 00000000.00000002.2021619357.0000000000F71000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170553211.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119820314.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020629490.0000000000611000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014597460.0000000000611000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C28000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2023815185.0000000001C71000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.000000000178A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.000000000167F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.000000000195B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001972000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/84.17.40.101
                    Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/84.17.40.101~W
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C71000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.000000000174D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.0000000001647000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/84.17.40.101
                    Source: 3b6N2Xdh3CYwplaces.sqlite.8.drString found in binary or memory: https://support.mozilla.org
                    Source: 3b6N2Xdh3CYwplaces.sqlite.8.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                    Source: 3b6N2Xdh3CYwplaces.sqlite.8.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                    Source: file.exe, 00000000.00000003.1864720375.0000000001D49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867274750.0000000001D67000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099216190.00000000018B0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2104564573.00000000018C5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822281358.0000000001A79000.00000004.00000020.00020000.00000000.sdmp, ELASOvMcSsNrHistory.7.dr, vd0z8wzGefD1History.8.dr, LhmhqtkXTkbYHistory.0.dr, iCl1DNg_vvFNHistory.5.dr, QZolPj_wU7yvHistory.8.dr, BhPLdlMH4HviHistory.5.dr, UqNl41FdpO7sHistory.0.dr, OAwfuvRJ7Zo3History.7.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                    Source: ELASOvMcSsNrHistory.7.dr, vd0z8wzGefD1History.8.dr, LhmhqtkXTkbYHistory.0.dr, iCl1DNg_vvFNHistory.5.dr, QZolPj_wU7yvHistory.8.dr, BhPLdlMH4HviHistory.5.dr, UqNl41FdpO7sHistory.0.dr, OAwfuvRJ7Zo3History.7.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                    Source: file.exe, 00000000.00000003.1864720375.0000000001D49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867274750.0000000001D67000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099216190.00000000018B0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2104564573.00000000018C5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822281358.0000000001A79000.00000004.00000020.00020000.00000000.sdmp, ELASOvMcSsNrHistory.7.dr, vd0z8wzGefD1History.8.dr, LhmhqtkXTkbYHistory.0.dr, iCl1DNg_vvFNHistory.5.dr, QZolPj_wU7yvHistory.8.dr, BhPLdlMH4HviHistory.5.dr, UqNl41FdpO7sHistory.0.dr, OAwfuvRJ7Zo3History.7.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                    Source: ELASOvMcSsNrHistory.7.dr, vd0z8wzGefD1History.8.dr, LhmhqtkXTkbYHistory.0.dr, iCl1DNg_vvFNHistory.5.dr, QZolPj_wU7yvHistory.8.dr, BhPLdlMH4HviHistory.5.dr, UqNl41FdpO7sHistory.0.dr, OAwfuvRJ7Zo3History.7.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                    Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.4
                    Source: RageMP131.exe, 00000007.00000002.2022464307.000000000191E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A18000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmp, 9wBRx7ST9VOnJqni_JpioUs.zip.5.dr, wwigCWSFuz2MihL8u4G1uFC.zip.8.dr, tC131VXqxqwXyoqOe7muh9i.zip.7.dr, PSdiYEtw_DOSPKoK_uBheap.zip.0.drString found in binary or memory: https://t.me/RiseProSUPPORT
                    Source: RageMP131.exe, 00000008.00000002.2015798047.0000000001A18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT7
                    Source: MPGPH131.exe, 00000005.00000002.2173403489.0000000001838000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2110910326.0000000001838000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTli
                    Source: file.exe, 00000000.00000002.2023815185.0000000001CEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1907164226.0000000001CE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTm
                    Source: MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro
                    Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1844046240.0000000001A1A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1873756554.0000000001AF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A18000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.5.dr, passwords.txt.8.dr, passwords.txt.7.dr, passwords.txt.0.drString found in binary or memory: https://t.me/risepro_bot
                    Source: MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot#
                    Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot&
                    Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot4.17.40.101
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botisepro_bot
                    Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botlater
                    Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bots
                    Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.drString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: file.exe, MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                    Source: 3b6N2Xdh3CYwplaces.sqlite.8.drString found in binary or memory: https://www.mozilla.org
                    Source: 3b6N2Xdh3CYwplaces.sqlite.8.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                    Source: 3b6N2Xdh3CYwplaces.sqlite.8.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1871264871.0000000001A5F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1870214972.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1873024686.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1863834626.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1866365018.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1870708054.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864231696.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1863653168.0000000001A64000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1866548748.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874348802.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864002119.0000000001A64000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1870547168.0000000001A5F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865973953.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1869370494.0000000001A5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                    Source: file.exe, 00000000.00000003.1907164226.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863659568.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1872810764.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1866453313.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1873275007.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1870000195.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865095538.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1866116710.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863851821.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1870498691.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2023815185.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864448208.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863077396.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1871475354.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865890235.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864066032.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865369865.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1870911713.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102332006.000000000189A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2107790457.000000000189A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2098278909.000000000189A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                    Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/I
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/S
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/T
                    Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/d
                    Source: 3b6N2Xdh3CYwplaces.sqlite.8.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1871264871.0000000001A5F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1870214972.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1873024686.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1863834626.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1866365018.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1870708054.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864231696.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1863653168.0000000001A64000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1866548748.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874348802.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864002119.0000000001A64000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1870547168.0000000001A5F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865973953.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1869370494.0000000001A5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                    Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/-
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/eagonF
                    Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/efox/
                    Source: file.exe, 00000000.00000003.1907164226.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863659568.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1872810764.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1866453313.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1873275007.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1870000195.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865095538.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1866116710.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863851821.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1870498691.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2023815185.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864448208.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863077396.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1871475354.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865890235.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864066032.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865369865.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1870911713.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102332006.000000000189A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2107790457.000000000189A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2098278909.000000000189A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                    Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/r
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/refox
                    Source: RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874348802.0000000001A65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/ta
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                    Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49734 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49735 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49742 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49744 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49745 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49747 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49748 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49749 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49750 version: TLS 1.2

                    System Summary

                    barindex
                    PE file has nameless sections
                    Source: file.exeStatic PE information: section name:
                    Source: file.exeStatic PE information: section name:
                    Source: file.exeStatic PE information: section name:
                    Source: file.exeStatic PE information: section name:
                    Source: file.exeStatic PE information: section name:
                    Source: file.exeStatic PE information: section name:
                    Source: RageMP131.exe.0.drStatic PE information: section name:
                    Source: RageMP131.exe.0.drStatic PE information: section name:
                    Source: RageMP131.exe.0.drStatic PE information: section name:
                    Source: RageMP131.exe.0.drStatic PE information: section name:
                    Source: RageMP131.exe.0.drStatic PE information: section name:
                    Source: RageMP131.exe.0.drStatic PE information: section name:
                    Source: MPGPH131.exe.0.drStatic PE information: section name:
                    Source: MPGPH131.exe.0.drStatic PE information: section name:
                    Source: MPGPH131.exe.0.drStatic PE information: section name:
                    Source: MPGPH131.exe.0.drStatic PE information: section name:
                    Source: MPGPH131.exe.0.drStatic PE information: section name:
                    Source: MPGPH131.exe.0.drStatic PE information: section name:
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0101A180
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB002D
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100F050
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100D320
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01006330
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0104E3B0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010003C0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01047580
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010AF480
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01008630
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F7B8E0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC8BB0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF1B90
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0106AC30
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0104EFB0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0104FE80
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01003EC0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100AEE0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01003000
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA71A0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB036F
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010142A0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01013590
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010B85F0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F9F580
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF4560
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01057760
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC2610
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC47BF
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010B7690
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FAC960
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FAA928
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBDA86
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0105FBA0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0105EBA0
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010B5D10
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010B6C50
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010A4C70
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01062F30
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC8E30
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010B1E30
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF0000
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF09A3
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0032002D
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0037F050
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0038A180
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00376330
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0037D320
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_003BE3B0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_003703C0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0041F480
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_003B7580
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00378630
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_002EB8E0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00361B90
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_003DAC30
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00425D10
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_003BFE80
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0037AEE0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00373EC0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_003BEFB0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00373000
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_003171A0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_003842A0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0032036F
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00364560
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00383590
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0030F580
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_004285F0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00427690
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_003C7760
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_003347BF
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0031A928
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0031C960
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0032DA86
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00338BB0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_003CEBA0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_003CFBA0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00426C50
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00414C70
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00338E30
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00421E30
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_003D2F30
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_7F0409A3
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_7F040000
                    Source: C:\Users\user\Desktop\file.exeCode function: String function: 00F8ACE0 appears 86 times
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 002FACE0 appears 86 times
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7672 -s 1944
                    Source: file.exe, 00000000.00000000.1612444595.0000000001111000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe
                    Source: file.exeBinary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: file.exeStatic PE information: Section: ZLIB complexity 0.9999685247031382
                    Source: file.exeStatic PE information: Section: ZLIB complexity 0.9983648255813954
                    Source: file.exeStatic PE information: Section: ZLIB complexity 0.9970703125
                    Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9999685247031382
                    Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9983648255813954
                    Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9970703125
                    Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9999685247031382
                    Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9983648255813954
                    Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9970703125
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/106@2/3
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0104FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7784
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7672
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7584
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7428
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\rage131MP.tmpJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: file.exe, 00000000.00000002.2021619357.0000000000F71000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170553211.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119820314.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020629490.0000000000611000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014597460.0000000000611000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: file.exe, 00000000.00000002.2021619357.0000000000F71000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170553211.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119820314.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020629490.0000000000611000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014597460.0000000000611000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: file.exe, 00000000.00000003.1907164226.0000000001D16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1872810764.0000000001D16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1873275007.0000000001D16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2023815185.0000000001D16000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE segment_dV;
                    Source: RageMP131.exe, 00000007.00000003.1819367845.0000000001A42000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1819751197.0000000001A42000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1863834626.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864231696.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, cCZagzzOxnzSLogin Data For Account.7.dr, a7mDNvwnbxnHLogin Data For Account.8.dr, TLE_gXdWplrQLogin Data.0.dr, S1kWLfoUHhbSLogin Data.5.dr, LjKc4cZCdkn6Login Data.8.dr, KD92s1mFJPJgLogin Data For Account.0.dr, h7vTUP6iIQXbLogin Data.7.dr, ZhaKbTXVRlMcLogin Data For Account.5.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: file.exeVirustotal: Detection: 38%
                    Source: file.exeReversingLabs: Detection: 39%
                    Source: file.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                    Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                    Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7672 -s 1944
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 1908
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7428 -s 1980
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 1960
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                    Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: version.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: shfolder.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: d3d11.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dxgi.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: resourcepolicyclient.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: d3d10warp.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dxcore.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: devobj.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: version.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: shfolder.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: profapi.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: version.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: shfolder.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: profapi.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dll
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: shfolder.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: shfolder.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: file.exeStatic file information: File size 3188736 > 1048576
                    Source: file.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x221000

                    Data Obfuscation

                    barindex
                    Detected unpacking (changes PE section rights)
                    Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.f70000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 5.2.MPGPH131.exe.2e0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 6.2.MPGPH131.exe.2e0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 7.2.RageMP131.exe.610000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 8.2.RageMP131.exe.610000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0103F200 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,
                    Source: initial sampleStatic PE information: section where entry point is pointing to: .data
                    Source: file.exeStatic PE information: section name:
                    Source: file.exeStatic PE information: section name:
                    Source: file.exeStatic PE information: section name:
                    Source: file.exeStatic PE information: section name:
                    Source: file.exeStatic PE information: section name:
                    Source: file.exeStatic PE information: section name:
                    Source: RageMP131.exe.0.drStatic PE information: section name:
                    Source: RageMP131.exe.0.drStatic PE information: section name:
                    Source: RageMP131.exe.0.drStatic PE information: section name:
                    Source: RageMP131.exe.0.drStatic PE information: section name:
                    Source: RageMP131.exe.0.drStatic PE information: section name:
                    Source: RageMP131.exe.0.drStatic PE information: section name:
                    Source: MPGPH131.exe.0.drStatic PE information: section name:
                    Source: MPGPH131.exe.0.drStatic PE information: section name:
                    Source: MPGPH131.exe.0.drStatic PE information: section name:
                    Source: MPGPH131.exe.0.drStatic PE information: section name:
                    Source: MPGPH131.exe.0.drStatic PE information: section name:
                    Source: MPGPH131.exe.0.drStatic PE information: section name:
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA3F59 push ecx; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF16A0 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF1EB0 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF1E80 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF0E90 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF2690 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF1EE0 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF0EF0 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF26F0 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF0EC0 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF26C0 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF16D0 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF1E20 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF0E30 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF2630 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF0E00 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF2600 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF1610 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF0E60 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF2660 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF1670 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF1640 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF1E50 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF1FA0 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF0FB0 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF27B0 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF0F80 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF2780 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF1790 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF0FE0 push 7EAF0002h; ret
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EAF27E0 push 7EAF0002h; ret
                    Source: file.exeStatic PE information: section name: entropy: 7.999675017725288
                    Source: file.exeStatic PE information: section name: entropy: 7.99639087266641
                    Source: file.exeStatic PE information: section name: entropy: 7.83802229172669
                    Source: file.exeStatic PE information: section name: entropy: 7.972593331740996
                    Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.999675017725288
                    Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.99639087266641
                    Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.83802229172669
                    Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.972593331740996
                    Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.999675017725288
                    Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.99639087266641
                    Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.83802229172669
                    Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.972593331740996
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                    Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Found stalling execution ending in API Sleep call
                    Source: C:\Users\user\Desktop\file.exeStalling execution: Execution stalls by calling Sleep
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeStalling execution: Execution stalls by calling Sleep
                    Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 751
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 1120
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                    Source: C:\Users\user\Desktop\file.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                    Source: C:\Users\user\Desktop\file.exeEvaded block: after key decision
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvaded block: after key decision
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                    Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                    Source: C:\Users\user\Desktop\file.exe TID: 7432Thread sleep count: 751 > 30
                    Source: C:\Users\user\Desktop\file.exe TID: 7432Thread sleep count: 117 > 30
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7588Thread sleep count: 1120 > 30
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7588Thread sleep count: 117 > 30
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7588Thread sleep count: 108 > 30
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7596Thread sleep count: 349 > 30
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7596Thread sleep count: 134 > 30
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7596Thread sleep count: 106 > 30
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7676Thread sleep count: 117 > 30
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7676Thread sleep count: 55 > 30
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7788Thread sleep count: 38 > 30
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7788Thread sleep count: 308 > 30
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7788Thread sleep count: 31 > 30
                    Source: C:\Users\user\Desktop\file.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010566F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01035F80 FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA1F9C FindClose,FindFirstFileExW,GetLastError,
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0104FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01003EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA2022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01003850 FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_003C66F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_003BFE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00373EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00311F9C FindClose,FindFirstFileExW,GetLastError,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_003A5F80 FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00312022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00373850 FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0104FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                    Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_751fa919568148cae58711204775ef674bafd71f_50e30abd_2c1d9ae0-1b69-4126-ae64-d738448a55b5\
                    Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
                    Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\
                    Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RageMP131.exe_d8cfe4b0b9575b2ab71f14e55e4d6484872cb94_df5fde7b_aa9d6a92-8d2d-4559-99fe-1b134b7dfc56\
                    Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\
                    Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 11 Essential Server Solutions without Hyper-V
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C49000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(j
                    Source: RageMP131.exe, 00000008.00000003.1872875473.0000000001AA1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Dk&Ven_VMware&P
                    Source: RageMP131.exe, 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000L
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: #Windows 10 Microsoft Hyper-V Server
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 8.1 Microsoft Hyper-V Server
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 2012 Server Standard without Hyper-V
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 8 Microsoft Hyper-V Server
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
                    Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 11 Microsoft Hyper-V Server
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 2012 R2 Server Standard without Hyper-V
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
                    Source: file.exe, 00000000.00000003.1872700677.0000000001D57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: Amcache.hve.18.drBinary or memory string: vmci.sys
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
                    Source: RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: vmware
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 8 Server Standard without Hyper-V
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
                    Source: MPGPH131.exe, 00000006.00000003.1661761468.00000000016B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}l
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
                    Source: Amcache.hve.18.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.18.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: Amcache.hve.18.drBinary or memory string: VMware Virtual RAM
                    Source: RageMP131.exe, 00000008.00000003.1874545027.0000000001A92000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\*
                    Source: Amcache.hve.18.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: "Windows 8 Microsoft Hyper-V Server
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
                    Source: Amcache.hve.18.drBinary or memory string: VMware Virtual USB Mouse
                    Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 10 Server Standard without Hyper-V
                    Source: RageMP131.exe, 00000008.00000003.1874545027.0000000001A92000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
                    Source: MPGPH131.exe, 00000006.00000002.2121250052.000000000169C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000N
                    Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7A82178D
                    Source: Amcache.hve.18.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 11 Server Standard without Hyper-V (core)
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Hyper-V (guest)
                    Source: Amcache.hve.18.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: RageMP131.exe, 00000008.00000002.2015798047.000000000199B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}uV
                    Source: Amcache.hve.18.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 10 Microsoft Hyper-V Server
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
                    Source: Amcache.hve.18.drBinary or memory string: vmci.syshbin`
                    Source: Amcache.hve.18.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000124E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.00000000005BE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.00000000005BE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000008EE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000008EE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: ~VirtualMachineTypes
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000124E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.00000000005BE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.00000000005BE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000008EE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000008EE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: ]DLL_Loader_VirtualMachine
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 2016 Microsoft Hyper-V Server
                    Source: file.exe, 00000000.00000002.2021955024.000000000124E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.00000000005BE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.00000000005BE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000008EE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000008EE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 11 Server Standard without Hyper-V
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: )Windows 8 Server Standard without Hyper-V
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW^b
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: %Windows 2012 Microsoft Hyper-V Server
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Hyper-V
                    Source: Amcache.hve.18.drBinary or memory string: VMware
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: $Windows 8.1 Microsoft Hyper-V Server
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: ,Windows 2012 Server Standard without Hyper-V
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 2012 Microsoft Hyper-V Server
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
                    Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                    Source: Amcache.hve.18.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
                    Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}/7rrP9UK+nYJkDUaruLFsmiax3GAXC2Igj63N1koqBHsy38rIIvg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*
                    Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}9
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 10 Essential Server Solutions without Hyper-V
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 8 Essential Server Solutions without Hyper-V
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.000000000169C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.000000000197C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001993000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
                    Source: RageMP131.exe, 00000008.00000003.1815205780.00000000019A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}tV
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 10 Server Standard without Hyper-V (core)
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
                    Source: RageMP131.exe, 00000007.00000003.1739888881.000000000198D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: MPGPH131.exe, 00000005.00000003.2110910326.0000000001838000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
                    Source: Amcache.hve.18.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: %Windows 2016 Microsoft Hyper-V Server
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ta\*
                    Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}iles\fqs92o4p.default-release\signons.sqlite-journal
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: +Windows 8.1 Server Standard without Hyper-V
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 2016 Server Standard without Hyper-V
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
                    Source: Amcache.hve.18.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.18.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.18.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.18.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
                    Source: Amcache.hve.18.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.18.drBinary or memory string: VMware VMCI Bus Device
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
                    Source: Amcache.hve.18.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 2016 Server Standard without Hyper-V (core)
                    Source: RageMP131.exe, 00000008.00000003.1874545027.0000000001A92000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Only
                    Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7A82178D-
                    Source: Amcache.hve.18.drBinary or memory string: vmci.syshbin
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 8 Server Standard without Hyper-V (core)
                    Source: Amcache.hve.18.drBinary or memory string: VMware, Inc.
                    Source: RageMP131.exe, 00000007.00000003.1831034423.0000000001A6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}OT NULL DEFAULT 0, use_date INTEGER NOT NULL DEFAULT 0)S)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
                    Source: Amcache.hve.18.drBinary or memory string: VMware20,1hbin@
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
                    Source: RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: xVBoxService.exe
                    Source: Amcache.hve.18.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
                    Source: Amcache.hve.18.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: *Windows 11 Server Standard without Hyper-V
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: ,Windows 2016 Server Standard without Hyper-V
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 2012 Server Standard without Hyper-V (core)
                    Source: Amcache.hve.18.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
                    Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW$
                    Source: RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: VBoxService.exe
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 8.1 Server Standard without Hyper-V
                    Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWXz~
                    Source: Amcache.hve.18.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: *Windows 10 Server Standard without Hyper-V
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
                    Source: RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: VMWare
                    Source: Amcache.hve.18.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
                    Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
                    Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J6HEdjEHUub5EtqTQ2dk3wwrCNfruTWZeEqONRrqgXAW0ke6pZXg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*
                    Source: RageMP131.exe, 00000007.00000002.2022464307.000000000191E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
                    Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: #Windows 11 Microsoft Hyper-V Server
                    Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformation

                    Anti Debugging

                    barindex
                    Hides threads from debuggers
                    Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebugger
                    Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebugger
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeThread information set: HideFromDebugger
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeThread information set: HideFromDebugger
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeThread information set: HideFromDebugger
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeThread information set: HideFromDebugger
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeThread information set: HideFromDebugger
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeThread information set: HideFromDebugger
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeThread information set: HideFromDebugger
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeThread information set: HideFromDebugger
                    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPort
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA8A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0103F200 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01036D00 mov eax, dword ptr fs:[00000030h]
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01003EC0 mov eax, dword ptr fs:[00000030h]
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_003A6D00 mov eax, dword ptr fs:[00000030h]
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00373EC0 mov eax, dword ptr fs:[00000030h]
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010599F0 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA8A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0031451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00318A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Contains functionality to inject threads in other processes
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0103F200 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_003AF200 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,
                    Source: C:\Users\user\Desktop\file.exeCode function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                    Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                    Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                    Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                    Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                    Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                    Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                    Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,
                    Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                    Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                    Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                    Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                    Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                    Source: C:\Users\user\Desktop\file.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\Users\user\Desktop\file.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0104FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0104FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0104FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    Source: Amcache.hve.18.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.18.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.18.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.18.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected RisePro Stealer
                    Source: Yara matchFile source: 00000005.00000002.2173403489.0000000001838000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2023815185.0000000001CEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1907164226.0000000001CE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2022464307.000000000191E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.2110910326.0000000001838000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2015798047.0000000001A18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2173403489.000000000174D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 7428, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7584, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7592, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7672, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7784, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\wwigCWSFuz2MihL8u4G1uFC.zip, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\9wBRx7ST9VOnJqni_JpioUs.zip, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\tC131VXqxqwXyoqOe7muh9i.zip, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\PSdiYEtw_DOSPKoK_uBheap.zip, type: DROPPED
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx0gA
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsTP
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet*;T
                    Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: Yara matchFile source: 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 7428, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7584, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7672, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7784, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected RisePro Stealer
                    Source: Yara matchFile source: 00000005.00000002.2173403489.0000000001838000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2023815185.0000000001CEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000003.1907164226.0000000001CE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2022464307.000000000191E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000003.2110910326.0000000001838000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2015798047.0000000001A18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2173403489.000000000174D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 7428, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7584, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7592, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7672, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7784, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\wwigCWSFuz2MihL8u4G1uFC.zip, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\9wBRx7ST9VOnJqni_JpioUs.zip, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\tC131VXqxqwXyoqOe7muh9i.zip, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\PSdiYEtw_DOSPKoK_uBheap.zip, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter                    		1
                    Scheduled Task/Job                    		11
                    Process Injection                    		3
                    Obfuscated Files or Information                    		LSASS Memory1
                    Account Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		21
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Scheduled Task/Job                    		1
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		12
                    Software Packing                    		Security Account Manager3
                    File and Directory Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    Registry Run Keys / Startup Folder                    		1
                    DLL Side-Loading                    		NTDS35
                    System Information Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Masquerading                    		LSA Secrets241
                    Security Software Discovery                    		SSHKeylogging13
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials12
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                    Process Injection                    		DCSync2
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Network Configuration Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436950 Sample: file.exe Startdate: 06/05/2024 Architecture: WINDOWS Score: 100 47 ipinfo.io 2->47 49 db-ip.com 2->49 57 Snort IDS alert for network traffic 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Antivirus detection for URL or domain 2->61 63 5 other signatures 2->63 8 file.exe 1 62 2->8         started        13 MPGPH131.exe 55 2->13         started        15 RageMP131.exe 55 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 51 147.45.47.93, 49730, 49731, 49732 FREE-NET-ASFREEnetEU Russian Federation 8->51 35 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->35 dropped 37 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->37 dropped 39 C:\Users\user\...\PSdiYEtw_DOSPKoK_uBheap.zip, Zip 8->39 dropped 65 Detected unpacking (changes PE section rights) 8->65 67 Tries to steal Mail credentials (via file / registry access) 8->67 69 Found many strings related to Crypto-Wallets (likely being stolen) 8->69 81 2 other signatures 8->81 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        23 WerFault.exe 8->23         started        41 C:\Users\user\...\9wBRx7ST9VOnJqni_JpioUs.zip, Zip 13->41 dropped 71 Multi AV Scanner detection for dropped file 13->71 73 Machine Learning detection for dropped file 13->73 75 Found stalling execution ending in API Sleep call 13->75 25 WerFault.exe 13->25         started        53 ipinfo.io 34.117.186.192, 443, 49734, 49741 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 15->53 55 db-ip.com 104.26.5.15, 443, 49735, 49744 CLOUDFLARENETUS United States 15->55 43 C:\Users\user\...\tC131VXqxqwXyoqOe7muh9i.zip, Zip 15->43 dropped 77 Tries to harvest and steal browser information (history, passwords, etc) 15->77 79 Hides threads from debuggers 15->79 27 WerFault.exe 15->27         started        45 C:\Users\user\...\wwigCWSFuz2MihL8u4G1uFC.zip, Zip 17->45 dropped 29 WerFault.exe 17->29         started        file6 signatures7 process8 process9 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started       

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    file.exe38%VirustotalBrowse
                    file.exe39%ReversingLabsWin32.Trojan.Generic
                    file.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\RageMP131\RageMP131.exe100%Joe Sandbox ML
                    C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML
                    C:\ProgramData\MPGPH131\MPGPH131.exe39%ReversingLabsWin32.Trojan.Generic
                    C:\ProgramData\MPGPH131\MPGPH131.exe40%VirustotalBrowse
                    C:\Users\user\AppData\Local\RageMP131\RageMP131.exe39%ReversingLabsWin32.Trojan.Generic
                    C:\Users\user\AppData\Local\RageMP131\RageMP131.exe40%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://pki-ocsp.symauth.com00%URL Reputationsafe
                    http://147.45.47.102:57893/hera/amadka.exeDatae0%Avira URL Cloudsafe
                    http://147.45.47.102:57893/hera/amadka.exe100%Avira URL Cloudmalware
                    http://147.45.47.102:57893/hera/amadka.exe68.00%Avira URL Cloudsafe
                    http://193.233.132.56/cost/lenin.exerbirdox/i0%Avira URL Cloudsafe
                    http://147.45.47.102:57893/hera/amadka.exeD)a#0%Avira URL Cloudsafe
                    http://193.233.132.56/cost/go.exe0%Avira URL Cloudsafe
                    http://193.233.132.56/cost/lenin.exe)0%Avira URL Cloudsafe
                    http://193.233.132.56/cost/lenin.exesepro0%Avira URL Cloudsafe
                    https://t.40%Avira URL Cloudsafe
                    http://193.233.132.56/cost/lenin.exeUser0%Avira URL Cloudsafe
                    http://147.45.47.102:57893/hera/amadka.exe20%VirustotalBrowse
                    http://193.233.132.56/cost/go.exe00.10%Avira URL Cloudsafe
                    http://147.45.47.102:57893/hera/amadka.exeData0%Avira URL Cloudsafe
                    http://193.233.132.56/cost/lenin.exesepro22%VirustotalBrowse
                    http://193.233.132.56/cost/go.exe10%Avira URL Cloudsafe
                    http://147.45.47.102:57893/hera/amadka.exeletsM0%Avira URL Cloudsafe
                    http://147.45.47.102:57893/hera/amadka.exe68.015%VirustotalBrowse
                    http://147.45.47.102:57893/hera/amadka.exeN0%Avira URL Cloudsafe
                    http://193.233.132.56/cost/go.exe00.118%VirustotalBrowse
                    http://193.233.132.56/cost/lenin.exe0%Avira URL Cloudsafe
                    http://193.233.132.56/cost/go.exe25%VirustotalBrowse
                    http://193.233.132.56/cost/go.execoin0%Avira URL Cloudsafe
                    http://147.45.47.102:57893/hera/amadka.exeN18%VirustotalBrowse
                    http://193.233.132.56/cost/lenin.exe26%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ipinfo.io
                    		34.117.186.192
                    		truefalse
                      		high
                      db-ip.com
                      		104.26.5.15
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://db-ip.com/demo/home.php?s=84.17.40.101false
                          		high
                          https://ipinfo.io/widget/demo/84.17.40.101false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://db-ip.com/demo/home.php?s=84.17.40.101cRageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.drfalse
                                		high
                                https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF3b6N2Xdh3CYwplaces.sqlite.8.drfalse
                                  		high
                                  https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.drfalse
                                    		high
                                    https://t.me/RiseProSUPPORTmfile.exe, 00000000.00000002.2023815185.0000000001CEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1907164226.0000000001CE6000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://db-ip.com/demo/home.php?s=84.17.40.101gfile.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://147.45.47.102:57893/hera/amadka.exefile.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874348802.0000000001A65000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • 20%, Virustotal, Browse
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.drfalse
                                          		high
                                          https://db-ip.com/file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://db-ip.com/demo/home.php?s=84.17.40.101sRageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://t.me/RiseProSUPPORTliMPGPH131.exe, 00000005.00000002.2173403489.0000000001838000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2110910326.0000000001838000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://147.45.47.102:57893/hera/amadka.exe68.0RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • 15%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crfile.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.drfalse
                                                  		high
                                                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.drfalse
                                                    		high
                                                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17file.exe, 00000000.00000003.1864720375.0000000001D49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867274750.0000000001D67000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099216190.00000000018B0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2104564573.00000000018C5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822281358.0000000001A79000.00000004.00000020.00020000.00000000.sdmp, ELASOvMcSsNrHistory.7.dr, vd0z8wzGefD1History.8.dr, LhmhqtkXTkbYHistory.0.dr, iCl1DNg_vvFNHistory.5.dr, QZolPj_wU7yvHistory.8.dr, BhPLdlMH4HviHistory.5.dr, UqNl41FdpO7sHistory.0.dr, OAwfuvRJ7Zo3History.7.drfalse
                                                      		high
                                                      http://147.45.47.102:57893/hera/amadka.exeDataeMPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://193.233.132.56/cost/lenin.exerbirdox/ifile.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://147.45.47.102:57893/hera/amadka.exeD)a#RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874348802.0000000001A65000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://t.me/riseproMPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://193.233.132.56/cost/lenin.exe)file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://193.233.132.56/cost/go.exeRageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • 25%, Virustotal, Browse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://db-ip.com:443/demo/home.php?s=84.17.40.101eRageMP131.exe, 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://t.me/risepro_bot&RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://t.me/risepro_bot#MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallELASOvMcSsNrHistory.7.dr, vd0z8wzGefD1History.8.dr, LhmhqtkXTkbYHistory.0.dr, iCl1DNg_vvFNHistory.5.dr, QZolPj_wU7yvHistory.8.dr, BhPLdlMH4HviHistory.5.dr, UqNl41FdpO7sHistory.0.dr, OAwfuvRJ7Zo3History.7.drfalse
                                                                		high
                                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.drfalse
                                                                  		high
                                                                  https://t.me/risepro_botisepro_botfile.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://193.233.132.56/cost/lenin.exeseproRageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • 22%, Virustotal, Browse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://ipinfo.io/widget/demo/84.17.40.101~WRageMP131.exe, 00000008.00000002.2015798047.00000000019B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://db-ip.com/gggMPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://t.me/RiseProSUPPORT7RageMP131.exe, 00000008.00000002.2015798047.0000000001A18000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://t.4MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		low
                                                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.drfalse
                                                                            		high
                                                                            https://db-ip.com/demo/home.php?s=84.17.40.101(MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dllfile.exe, 00000000.00000002.2021619357.0000000000F71000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170553211.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119820314.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020629490.0000000000611000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014597460.0000000000611000.00000040.00000001.01000000.00000005.sdmpfalse
                                                                                		high
                                                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.drfalse
                                                                                  		high
                                                                                  http://193.233.132.56/cost/lenin.exeUserRageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://t.me/risepro_bot4.17.40.101RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://upx.sf.netAmcache.hve.18.drfalse
                                                                                      		high
                                                                                      https://db-ip.com:443/demo/home.php?s=84.17.40.101oMPGPH131.exe, 00000005.00000002.2173403489.000000000174D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://t.me/RiseProSUPPORTRageMP131.exe, 00000007.00000002.2022464307.000000000191E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A18000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmp, 9wBRx7ST9VOnJqni_JpioUs.zip.5.dr, wwigCWSFuz2MihL8u4G1uFC.zip.8.dr, tC131VXqxqwXyoqOe7muh9i.zip.7.dr, PSdiYEtw_DOSPKoK_uBheap.zip.0.drfalse
                                                                                          		high
                                                                                          http://193.233.132.56/cost/go.exe00.1RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • 18%, Virustotal, Browse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016file.exe, 00000000.00000003.1864720375.0000000001D49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867274750.0000000001D67000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099216190.00000000018B0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2104564573.00000000018C5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822281358.0000000001A79000.00000004.00000020.00020000.00000000.sdmp, ELASOvMcSsNrHistory.7.dr, vd0z8wzGefD1History.8.dr, LhmhqtkXTkbYHistory.0.dr, iCl1DNg_vvFNHistory.5.dr, QZolPj_wU7yvHistory.8.dr, BhPLdlMH4HviHistory.5.dr, UqNl41FdpO7sHistory.0.dr, OAwfuvRJ7Zo3History.7.drfalse
                                                                                            		high
                                                                                            https://www.ecosia.org/newtab/file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.drfalse
                                                                                              		high
                                                                                              https://ipinfo.io/Mozilla/5.0file.exe, 00000000.00000002.2023815185.0000000001C71000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br3b6N2Xdh3CYwplaces.sqlite.8.drfalse
                                                                                                  		high
                                                                                                  http://147.45.47.102:57893/hera/amadka.exeDataRageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.drfalse
                                                                                                    		high
                                                                                                    http://193.233.132.56/cost/go.exe1RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://db-ip.com/demo/home.php?s=84.17.40.101DMPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://t.me/risepro_botRageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1844046240.0000000001A1A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1873756554.0000000001AF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A18000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.5.dr, passwords.txt.8.dr, passwords.txt.7.dr, passwords.txt.0.drfalse
                                                                                                        		high
                                                                                                        http://147.45.47.102:57893/hera/amadka.exeletsMfile.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://t.me/risepro_botlaterMPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://ipinfo.io/RageMP131.exe, 00000008.00000002.2015798047.000000000199B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001963000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://pki-ocsp.symauth.com0file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.drfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://www.maxmind.com/en/locate-my-ip-addressfile.exe, MPGPH131.exefalse
                                                                                                              		high
                                                                                                              http://147.45.47.102:57893/hera/amadka.exeNMPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • 18%, Virustotal, Browse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://db-ip.com:443/demo/home.php?s=84.17.40.101file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.0000000001647000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://193.233.132.56/cost/lenin.exeRageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • 26%, Virustotal, Browse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.winimage.com/zLibDllfile.exe, 00000000.00000002.2021619357.0000000000F71000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170553211.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119820314.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020629490.0000000000611000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014597460.0000000000611000.00000040.00000001.01000000.00000005.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://support.mozilla.org3b6N2Xdh3CYwplaces.sqlite.8.drfalse
                                                                                                                    		high
                                                                                                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesELASOvMcSsNrHistory.7.dr, vd0z8wzGefD1History.8.dr, LhmhqtkXTkbYHistory.0.dr, iCl1DNg_vvFNHistory.5.dr, QZolPj_wU7yvHistory.8.dr, BhPLdlMH4HviHistory.5.dr, UqNl41FdpO7sHistory.0.dr, OAwfuvRJ7Zo3History.7.drfalse
                                                                                                                      		high
                                                                                                                      https://ipinfo.io:443/widget/demo/84.17.40.101file.exe, 00000000.00000002.2023815185.0000000001C71000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.000000000174D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.0000000001647000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://t.me/risepro_botsMPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.drfalse
                                                                                                                            		high
                                                                                                                            http://193.233.132.56/cost/go.execoinRageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown

                                                                                                                            World Map of Contacted IPs

                                                                                                                            • No. of IPs < 25%
                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                            • 75% < No. of IPs

                                                                                                                            Public IPs

                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                            34.117.186.192
                                                                                                                            		ipinfo.ioUnited States
                                                                                                                            		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                                                                                            147.45.47.93
                                                                                                                            		unknownRussian Federation
                                                                                                                            		2895FREE-NET-ASFREEnetEUtrue
                                                                                                                            104.26.5.15
                                                                                                                            		db-ip.comUnited States
                                                                                                                            		13335CLOUDFLARENETUSfalse

                                                                                                                            General Information

                                                                                                                            Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                            Analysis ID:1436950
                                                                                                                            Start date and time:2024-05-06 20:07:05 +02:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:0h 9m 1s
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:light
                                                                                                                            Cookbook file name:default.jbs
                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                            Number of analysed new started processes analysed:22
                                                                                                                            Number of new started drivers analysed:0
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:0
                                                                                                                            Technologies:
                                                                                                                            • HCA enabled
                                                                                                                            • EGA enabled
                                                                                                                            • AMSI enabled
                                                                                                                            Analysis Mode:default
                                                                                                                            Analysis stop reason:Timeout
                                                                                                                            Sample name:file.exe
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@15/106@2/3
                                                                                                                            EGA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            HCA Information:
                                                                                                                            • Successful, ratio: 58%
                                                                                                                            • Number of executed functions: 0
                                                                                                                            • Number of non-executed functions: 0
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                            Warnings

                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                            • TCP Packets have been reduced to 100
                                                                                                                            • Created / dropped Files have been reduced to 100
                                                                                                                            • Excluded IPs from analysis (whitelisted): 52.168.117.173, 52.182.143.212
                                                                                                                            • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                            • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                            Simulations

                                                                                                                            Behavior and APIs

                                                                                                                            TimeTypeDescription
                                                                                                                            19:07:52AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            19:07:53Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            19:07:53Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            19:08:00AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            20:08:28API Interceptor80x Sleep call for process: MPGPH131.exe modified
                                                                                                                            20:08:29API Interceptor4x Sleep call for process: WerFault.exe modified

                                                                                                                            Joe Sandbox View / Context

                                                                                                                            IPs

                                                                                                                            No context

                                                                                                                            Domains

                                                                                                                            No context

                                                                                                                            ASNs

                                                                                                                            No context

                                                                                                                            JA3 Fingerprints

                                                                                                                            No context

                                                                                                                            Dropped Files

                                                                                                                            No context

                                                                                                                            Created / dropped Files

                                                                                                                            C:\ProgramData\MPGPH131\MPGPH131.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):3188736
                                                                                                                            Entropy (8bit):7.981027272062894
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:98304:DInXnNqIvqO74jZlyPeYy+sOnc6FqoMD:ygISO7sZae+FcSMD
                                                                                                                            MD5:51014F1C86736D8F91D432548062EBBF
                                                                                                                            SHA1:6D0BAB0A443FF43C293F57DFACE65DFEA47501A9
                                                                                                                            SHA-256:1845D2A25B628C6FF5E489F83FF975A0C8140BBEEB8EA05F5404A45EE2F9C7EA
                                                                                                                            SHA-512:E05A72A5DEDE84005AEDB80884CE191180BFD811A5AA197E18B5D467170B1E6B534B42EEF3F37782355193663F952599D7EB6D0121A6F1ADB2019CB3B547187D
                                                                                                                            Malicious:true
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                            • Antivirus: ReversingLabs, Detection: 39%
                                                                                                                            • Antivirus: Virustotal, Detection: 40%, Browse
                                                                                                                            Reputation:low
                                                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....96f...............'.........................@......................................@... .. .... .. ..........P.......\...............................0........................................................................................................6..................@........................:..............@............P...P.......<..............@........................D..............@................p...b...D..............@....rsrc...............................@..@..........x......(...p..............@....data....."......".................@...................................................................................................................................................

                                                                                                                            C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):26
                                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                            Malicious:false
                                                                                                                            Reputation:high, very likely benign file
                                                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_f22e2bf49a32bf74f5adbe8cba848017948e65f7_0010bad0_640263cb-49b4-41b7-b487-4b818315d5ea\Report.wer

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):65536
                                                                                                                            Entropy (8bit):1.0905694034302293
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:+CRlrSzZ8DX0N/QB6E6jjYZrSruBl9zuiFGZ24IO826t:BKZekN/QEjC9zuiFGY4IO8p
                                                                                                                            MD5:AA33BA4BF670C5953A2F6849F09214EE
                                                                                                                            SHA1:9654FA3E4E28A7A5EC9712BD477049F87717B9BC
                                                                                                                            SHA-256:60351DC8F18704950DA6429CDCB7657CF90F1FD55EBA315194453D155F1A7904
                                                                                                                            SHA-512:667BC52BE4258C36A5ACD14726F8841A8C276546B9E269DDEF15F85AEDBF8019134420E3C82870C1B7F1C613AD4DF17C7126C6C1C9329D47CFE56BA909DD8853
                                                                                                                            Malicious:false
                                                                                                                            Reputation:low
                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.4.9.2.5.2.3.6.1.6.6.8.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.4.9.2.5.2.4.1.9.4.8.0.3.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.4.0.2.6.3.c.b.-.4.9.b.4.-.4.1.b.7.-.b.4.8.7.-.4.b.8.1.8.3.1.5.d.5.e.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.c.6.d.0.b.0.6.-.3.3.0.5.-.4.8.8.2.-.9.8.3.4.-.f.8.8.3.7.c.5.e.f.e.e.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.r.o.s.s.D.e.v.i.c.e.S.e.t.t.i.n.g.s.H.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.a.0.-.0.0.0.1.-.0.0.1.4.-.8.8.1.5.-.6.f.5.0.e.0.9.f.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.6.7.a.b.c.f.8.d.6.c.2.5.2.9.7.e.d.9.7.2.3.e.f.1.6.c.3.8.f.3.6.0.0.0.0.0.9.1.0.!.0.0.0.0.6.d.0.b.a.b.0.a.4.4.3.f.f.4.3.c.2.9.3.f.5.7.

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RageMP131.exe_d8cfe4b0b9575b2ab71f14e55e4d6484872cb94_df5fde7b_aa9d6a92-8d2d-4559-99fe-1b134b7dfc56\Report.wer

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):65536
                                                                                                                            Entropy (8bit):1.0964596449196107
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:q4Es50W0MpLFgjYZrSruBF9zuiFGZ24IO8ilp:2s509MpLFgjC9zuiFGY4IO8ij
                                                                                                                            MD5:C31F66AAD3C803A9195EE514D87571F5
                                                                                                                            SHA1:3CD88A966E201D2B26E21456B1A9D2A4E4C1B92B
                                                                                                                            SHA-256:91757B335D88B354A602F9841711687C8233E333C2211AE0B6D2E070D8990066
                                                                                                                            SHA-512:0A1DF693A8AA45C2EF00B40EB6CBF35887AB0B119E85C15ED8927376B6EAE23BB2FF7557557C17BBD55222C0AB307685B34F0DDBB790B5D9F3B242043AB389B5
                                                                                                                            Malicious:false
                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.4.9.2.4.9.6.6.4.2.4.1.7.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.4.9.2.4.9.7.5.9.5.5.3.7.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.a.9.d.6.a.9.2.-.8.d.2.d.-.4.5.5.9.-.9.9.f.e.-.1.b.1.3.4.b.7.d.f.c.5.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.1.0.f.e.e.f.d.-.f.f.d.5.-.4.2.c.8.-.a.e.b.e.-.b.d.8.c.a.f.a.9.6.b.8.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.a.g.e.M.P.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.r.o.s.s.D.e.v.i.c.e.S.e.t.t.i.n.g.s.H.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.f.8.-.0.0.0.1.-.0.0.1.4.-.5.e.3.e.-.d.c.5.4.e.0.9.f.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.6.7.a.b.c.f.8.d.6.c.2.5.2.9.7.e.d.9.7.2.3.e.f.1.6.c.3.8.f.3.6.0.0.0.0.0.9.1.0.!.0.0.0.0.6.d.0.b.a.b.0.a.4.4.3.f.f.4.3.c.2.9.3.f.5.

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RageMP131.exe_d8cfe4b0b9575b2ab71f14e55e4d6484872cb94_df5fde7b_f3afe759-c551-431a-a54b-014b05a40ae0\Report.wer

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):65536
                                                                                                                            Entropy (8bit):1.0899393167777214
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:vBUnW0W0MpLFgjTZrlyLB+EzuiFGZ24IO8il:5UnW09MpLFgjNEzuiFGY4IO8i
                                                                                                                            MD5:2CA776CB2C6318C667E984C174AFB133
                                                                                                                            SHA1:4BC3A2B560AAB09D12431FFA495939F944C53DA6
                                                                                                                            SHA-256:6C7F40749FECF3111C83ECF8FF43F1585FACB4C409D8F831B06498E4456DC3EC
                                                                                                                            SHA-512:BA0D5D03296950334485F6745266A106D48F2BDF87415E3DBBC24CB710DA3F14C3618D24EC89DE4ACD00512A45DDD4639E7272BF38A230706F42F0E03A291F7E
                                                                                                                            Malicious:false
                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.4.9.2.5.0.0.1.5.8.8.7.2.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.4.9.2.5.0.0.8.4.6.3.9.3.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.3.a.f.e.7.5.9.-.c.5.5.1.-.4.3.1.a.-.a.5.4.b.-.0.1.4.b.0.5.a.4.0.a.e.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.3.3.0.3.1.5.d.-.7.f.3.c.-.4.1.f.8.-.8.9.9.0.-.7.7.d.9.6.2.3.4.b.1.5.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.a.g.e.M.P.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.r.o.s.s.D.e.v.i.c.e.S.e.t.t.i.n.g.s.H.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.6.8.-.0.0.0.1.-.0.0.1.4.-.4.9.3.4.-.a.e.5.9.e.0.9.f.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.6.7.a.b.c.f.8.d.6.c.2.5.2.9.7.e.d.9.7.2.3.e.f.1.6.c.3.8.f.3.6.0.0.0.0.0.9.1.0.!.0.0.0.0.6.d.0.b.a.b.0.a.4.4.3.f.f.4.3.c.2.9.3.f.5.

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_751fa919568148cae58711204775ef674bafd71f_50e30abd_2c1d9ae0-1b69-4126-ae64-d738448a55b5\Report.wer

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):65536
                                                                                                                            Entropy (8bit):1.0843647047578129
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:rPBlVv2PXh07VKrI3jxZrBruVzfzuiFGZ24IO8iB:Vf2vi7VKsjwfzuiFGY4IO8S
                                                                                                                            MD5:9CD05F7201C84C3EAE853B7F6D11EB79
                                                                                                                            SHA1:C69913D9107A9550DCD24C8FBAAC87EA493CD6EE
                                                                                                                            SHA-256:7E562B75DF4D1B182C40666680F5773D52382E02AF2EE8C97C5C22A18B7DE357
                                                                                                                            SHA-512:AF13F61976C03AE2758B6801CDC93FF1C6489C273804DCA22BBF2825FC69E0014CA86608568E697D4B11FDA4B27D7066FA22464DD7B8C86515CB51B7D51B2291
                                                                                                                            Malicious:false
                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.4.9.2.5.0.0.4.8.2.9.0.2.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.4.9.2.5.0.1.0.2.9.7.8.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.c.1.d.9.a.e.0.-.1.b.6.9.-.4.1.2.6.-.a.e.6.4.-.d.7.3.8.4.4.8.a.5.5.b.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.3.d.f.3.2.1.a.-.d.3.8.9.-.4.b.1.a.-.b.c.e.2.-.7.7.6.6.a.6.c.d.e.e.4.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.r.o.s.s.D.e.v.i.c.e.S.e.t.t.i.n.g.s.H.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.0.4.-.0.0.0.1.-.0.0.1.4.-.7.9.c.a.-.d.0.4.e.e.0.9.f.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.6.7.a.b.c.f.8.d.6.c.2.5.2.9.7.e.d.9.7.2.3.e.f.1.6.c.3.8.f.3.6.0.0.0.0.0.9.1.0.!.0.0.0.0.6.d.0.b.a.b.0.a.4.4.3.f.f.4.3.c.2.9.3.f.5.7.d.f.a.c.

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER144F.tmp.dmp

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Mon May 6 18:08:17 2024, 0x1205a4 type
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):129244
                                                                                                                            Entropy (8bit):1.8664892656470333
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:384:R4IKedBfue6DB09Rj/MAaC/ak3eC36irjRv4AtqoT6PdbeJ5A3XziCG46Mh:KeHfue6DBUjDjswRv4xoqdKn+XMg
                                                                                                                            MD5:F9F6B87B2052478E4B155A5705524DB8
                                                                                                                            SHA1:B75BBB89FD21007880E55E5856E8B2FCC1811953
                                                                                                                            SHA-256:418E0D7556EC9DC5E72AA0825EE4B9828DB616C32510FC77B91B512FCAD2491E
                                                                                                                            SHA-512:541714E05BDB62BAFE8FADE90FDFA08EC6C3737E083E2A6DF989BE7B27C205D5FA3F131C1AA6E63D6FF24449FD3E43953E393BDD51C24285884F5343656C06EF
                                                                                                                            Malicious:false
                                                                                                                            Preview:MDMP..a..... .........9f............D...........H...X.......l....%......$....U..........`.......8...........T............M..L............&...........'..............................................................................eJ.......(......GenuineIntel............T.............9f............................. ..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER16F0.tmp.WERInternalMetadata.xml

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):8396
                                                                                                                            Entropy (8bit):3.7025230006291654
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:R6l7wVeJ6t606Y9VSUj3gmflJJRoprZ89biXsf0eGWm:R6lXJo606YvSUj3gmflJJRbicfS
                                                                                                                            MD5:E6961886BC4A7B550AAF54ABD3849F11
                                                                                                                            SHA1:F2C3E87EC9F01A616259B4F9C66866740B82CAEA
                                                                                                                            SHA-256:1200C767DED18A9A0C8B1D9090F1D70141D3310BDA28D86C9ABF9C5FB42AB6CD
                                                                                                                            SHA-512:8D6B440DAB44E3295104A062DD72ADF3809B3B89B357C9DB838FC47368EABE650333FFB19C5AEE2D39EC8E35FF91585963BACBBBBD5F8FAAFDF14E4B549DE241
                                                                                                                            Malicious:false
                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.7.2.<./.P.i.

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER172F.tmp.xml

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):4718
                                                                                                                            Entropy (8bit):4.510283429940356
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:cvIwWl8zsNJg77aI9joWpW8VYmYm8M4JSfFqdQu+q81e0Tvz9effd:uIjfnI71B7VuJ0uKlend
                                                                                                                            MD5:9A41A724EBF1E9CC1E1D6FC1FDB3DBBF
                                                                                                                            SHA1:6BD16B91535283A61E6EE7FD473D288ED132F94B
                                                                                                                            SHA-256:D5B8DDF8CB785699A78F105CFEA83D7E32CEE824ABC7C15318CEA00FB2189DD1
                                                                                                                            SHA-512:36E323F23DABC97E2E6AE0422BE518EB4F15A8565F43FA1FE89184A0EC99F52A7C23BD6FAC57E5938C69D9216F60E8402028E1CCE3E3121601CA3855B1B22343
                                                                                                                            Malicious:false
                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="311590" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER220B.tmp.dmp

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Mon May 6 18:08:20 2024, 0x1205a4 type
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):127924
                                                                                                                            Entropy (8bit):1.8698917211657768
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:384:51jiWdU0lISe6UuyEafkiToPX/XMmENHNiHLD5rwWKN/3oPH:GW+jSe6UuKfkaVKX5kWk3o/
                                                                                                                            MD5:C8550F84FCB3CC9A144BC3D89C405C3C
                                                                                                                            SHA1:F51039719BC58DB77F103C6775CE38CCEED458E1
                                                                                                                            SHA-256:CAEBC1E69932E0B4BBCDD9ADAD22830F460A0CF7369BA720E24A924E935A9A69
                                                                                                                            SHA-512:8C2F1C562E6DA9AD03ACFDC444F2ACE0FF05B5DF35330F3C5571D755DAE0341DF640E0FD96E715D9D078A2A14FE6CCFABC41822B76BCF5FABA76EC9735FBF3E4
                                                                                                                            Malicious:false
                                                                                                                            Preview:MDMP..a..... .........9f............D...............X.......l...4%...........T..........`.......8...........T............K..............%...........'..............................................................................eJ......$(......GenuineIntel............T.......h.....9f............................. ..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER2333.tmp.dmp

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Mon May 6 18:08:20 2024, 0x1205a4 type
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):128722
                                                                                                                            Entropy (8bit):1.8718952625692038
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:384:KOhkAVdUFE4suu69LBqtL0GPrh1LG77G8r+kp6N4WoErtFFHjy2lx03a:XV2FEfuu69ItbjhVG7lZw/Jlwa
                                                                                                                            MD5:3FDD9DDD24F867247F550D79576492B5
                                                                                                                            SHA1:CBB6B106E4E9A38AC7F27442A390EB76394D4516
                                                                                                                            SHA-256:4BD6E64F1B061E12233D81586387E019CDCA3983F4EE4D40D9D0C30AEB570672
                                                                                                                            SHA-512:CC514C666E3BF56F59EAC186B0298C1AFAA4814826382F1C9D5A9588DAA4C77D40006954C777DD6E5CF27EC722051B5A1323DCEDC7D6153544E7EFF536E3FEA0
                                                                                                                            Malicious:false
                                                                                                                            Preview:MDMP..a..... .........9f............D...........H...X.......l....%...........U..........`.......8...........T............N..............&...........'..............................................................................eJ.......(......GenuineIntel............T...........v.9f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER2334.tmp.WERInternalMetadata.xml

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):8396
                                                                                                                            Entropy (8bit):3.7010156450821152
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:R6l7wVeJKN6r6Y9YSUb4gmflJJRopra89bOOsfTam:R6lXJY6r6YSSUb4gmflJJRuONff
                                                                                                                            MD5:35D2004C8B1C4F58AF70EDAC2D347B77
                                                                                                                            SHA1:C6DE8C24B7B7A32F81759DF12B072406EF95A652
                                                                                                                            SHA-256:04CE5EB49FBA8D9C7F4A6F34D0CAF04B0697697D6D0B3BCAA073528AAC159919
                                                                                                                            SHA-512:DFFC4F48A1E8A69D024D02368D207E6FF5EE6CB1E4116B28128DA5AC1EB831CDF571ADE17C532C3353BE1E65D1D9A11A114777DC9C32E6DAF1C5FC8FF94C69FC
                                                                                                                            Malicious:false
                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.8.4.<./.P.i.

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER2364.tmp.xml

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):4718
                                                                                                                            Entropy (8bit):4.5132178215338925
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:cvIwWl8zsWJg77aI9joWpW8VYSYm8M4JSfFo+q81WTvz9eQfd:uIjfsI71B7VyJpfleed
                                                                                                                            MD5:224398A0D108958FB7ED8230FFE3B5EC
                                                                                                                            SHA1:BF6C7E2EFDE59198909C1502CB36C819704688A0
                                                                                                                            SHA-256:472A7539216723B5D1F7C8AFA77AF595C3104DCDA0CDEF7103A208A79A51AC76
                                                                                                                            SHA-512:5C2B34CBD28B99FFCE63BCD5B168F3E9C8B719A9499E91AD66C433128C9F6E838A8CE84EB6B1E5675775F8176B54A83A3E92DE454813F0E2AAA6735E1581E8A8
                                                                                                                            Malicious:false
                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="311591" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER242E.tmp.WERInternalMetadata.xml

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):8376
                                                                                                                            Entropy (8bit):3.6983318919204144
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:R6l7wVeJrCG6rE6Y9dSUcZmgmfBtJJKprZ89bOOe0sf3am:R6lXJv6w6YnSUc4gmfrJJpOnf7
                                                                                                                            MD5:C9E49EE149F5CE16D9DC0F377D895655
                                                                                                                            SHA1:4FE1A3DBA67C58A31C6330AA8B3951A6CC37F3DD
                                                                                                                            SHA-256:37CE4B8B644B3DFB082DC6BF495E23BBBB1C3632642EB5F2673DFE90F9DDC858
                                                                                                                            SHA-512:72EA2E1253A4760A758DDB1C72014EE2E335C35862C0B5379981D75A330027227243F1E6CAC04C61CE7D956E82CFB1DAB8B58712011F4404B358969EA1224CCA
                                                                                                                            Malicious:false
                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.2.8.<./.P.i.

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER245E.tmp.xml

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):4693
                                                                                                                            Entropy (8bit):4.492181588108718
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:cvIwWl8zsWJg77aI9joWpW8VYlYm8M4JwwhfFA+q8qhskTvzCn/fd:uIjfsI71B7VRJyfKnHd
                                                                                                                            MD5:D458114B6F7E01BD639DF7FEBB4916CB
                                                                                                                            SHA1:51C5D93ED0FB43D2D48ABF19675D4ADAF9B822D1
                                                                                                                            SHA-256:866CDE98BFD62F6BF7A6C22D5E1F0DE64847B93C3AC6F985D236B3DC5265A37F
                                                                                                                            SHA-512:06AA5AADDD6B7FA5803B832D1676B3DE09BDA661F99434198CA3CE34F9DC5A49436A1DA86CDD07372B1E278B93D8247286596B10C78C1AE97C0BEB1644540FFC
                                                                                                                            Malicious:false
                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="311591" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D98.tmp.dmp

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Mon May 6 18:08:43 2024, 0x1205a4 type
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):124194
                                                                                                                            Entropy (8bit):1.8790490714345165
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:384:+04+dlGue661ofmc58qELqtdiNcpBefBrt6RJ8TG0ROuf:8+LGue661ofzWqnycpOr+b0RXf
                                                                                                                            MD5:666AD78D41360D232AFBD74E5088E4AF
                                                                                                                            SHA1:8D3C807B86443A474F50855BB2293B8043912961
                                                                                                                            SHA-256:784D43CA6CFD82D5923C30E95CE46BD122B0E6CA8533A0A6B4EF2804D8A3918A
                                                                                                                            SHA-512:0494860663F59C75D99EE3F5D1D9DBB27B3A58D1B6013A5390165623EEDBAF94CE2BA7AACDEDDEE22828DB1F022DDE5EC22030F9E35B255CA61205726862CF0E
                                                                                                                            Malicious:false
                                                                                                                            Preview:MDMP..a..... .........9f........................H...(.......l...p%......4....R..........`.......8...........T...........xL...............%...........'..............................................................................eJ......`(......GenuineIntel............T...........y.9f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER7E83.tmp.WERInternalMetadata.xml

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):6384
                                                                                                                            Entropy (8bit):3.7273716578467684
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:R6l7wVeJfuJ6ntYiPJJcprB89bjnsfrqBm:R6lXJw6tYgJJPjsfh
                                                                                                                            MD5:3919D0B5A08663536B506AE5758B9FFE
                                                                                                                            SHA1:1BDA3AF002C47E682A7F1A718A7FFA4C21B42ED1
                                                                                                                            SHA-256:C8533F1FAAD22712B4F70CD978122BF7705BDB47F0234AD1FC7A5FED095C55C6
                                                                                                                            SHA-512:A6E05F0DFE3D61F17C4F285400BEC7C6710458A282D29480CF4D2BF1384F9F160DC8FD7FA456F25E379012E5150C36F21CBA27804AD30FC11620E78C7B9F3A53
                                                                                                                            Malicious:false
                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.8.4.<./.P.i.

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER7EB3.tmp.xml

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):4713
                                                                                                                            Entropy (8bit):4.521361199821821
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:cvIwWl8zsWJg77aI9joWpW8VY6Ym8M4Jk8zFP+q8xY1/TvzxkNfd:uIjfsI71B7VWJHNaU/5kRd
                                                                                                                            MD5:F3BACA1D7789E4C51527FE225FB036A0
                                                                                                                            SHA1:F707346942747E8E7C267084DC68792C5DCA7DAB
                                                                                                                            SHA-256:740CA628ACD3BE0AB96F77E0A287931992B7D6364322F4DB5B711385BFB8348C
                                                                                                                            SHA-512:3601C028B3B832EA997FBA6ADC10520F971BDE1CEEFB51FB5CD77B3BD421B8DABF2030671E336E8440CDF5B3609F1026E725B0160B4BDD20BD1F358A5E3ED54A
                                                                                                                            Malicious:false
                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="311591" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):3188736
                                                                                                                            Entropy (8bit):7.981027272062894
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:98304:DInXnNqIvqO74jZlyPeYy+sOnc6FqoMD:ygISO7sZae+FcSMD
                                                                                                                            MD5:51014F1C86736D8F91D432548062EBBF
                                                                                                                            SHA1:6D0BAB0A443FF43C293F57DFACE65DFEA47501A9
                                                                                                                            SHA-256:1845D2A25B628C6FF5E489F83FF975A0C8140BBEEB8EA05F5404A45EE2F9C7EA
                                                                                                                            SHA-512:E05A72A5DEDE84005AEDB80884CE191180BFD811A5AA197E18B5D467170B1E6B534B42EEF3F37782355193663F952599D7EB6D0121A6F1ADB2019CB3B547187D
                                                                                                                            Malicious:true
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                            • Antivirus: ReversingLabs, Detection: 39%
                                                                                                                            • Antivirus: Virustotal, Detection: 40%, Browse
                                                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....96f...............'.........................@......................................@... .. .... .. ..........P.......\...............................0........................................................................................................6..................@........................:..............@............P...P.......<..............@........................D..............@................p...b...D..............@....rsrc...............................@..@..........x......(...p..............@....data....."......".................@...................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):26
                                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                            Malicious:false
                                                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                            C:\Users\user\AppData\Local\Temp\9wBRx7ST9VOnJqni_JpioUs.zip

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):5526
                                                                                                                            Entropy (8bit):7.899067442079574
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:VTbWGzqeAoMq+YK0KF8cAJiI2i+uvUmGsFQT0ozoPCMHz3KJY9LpO:NqASpF8wF+hFQ0koPl6Jb
                                                                                                                            MD5:5FC9973F4733EB3DA520CD2B5F842AC6
                                                                                                                            SHA1:56834308A0D9A532070C01D8D6AB59539A6DE240
                                                                                                                            SHA-256:CFCF7416481CB10ED8D5A2B87DE7AC638BEA81AD3DD5B498BD26B9185C0FD28D
                                                                                                                            SHA-512:97D52200FB94EDC3A06112AEF3F7B917053A42E02E4D2139CB804B65B365F90593E437BE6155139411B7D9BF29B788F0F35F1EFE2EA6BB8F56412074363217C7
                                                                                                                            Malicious:true
                                                                                                                            Yara Hits:
                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\9wBRx7ST9VOnJqni_JpioUs.zip, Author: Joe Security
                                                                                                                            Preview:PK...........X................Cookies\..PK...........XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E.*.l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3A*p.U5UX....Z.g:*e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O|.....>K......L*...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u|....v...3.;L..U?..b.....u..*..... .......F...P.a...|R*3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

                                                                                                                            C:\Users\user\AppData\Local\Temp\PSdiYEtw_DOSPKoK_uBheap.zip

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                            Category:modified
                                                                                                                            Size (bytes):5593
                                                                                                                            Entropy (8bit):7.897308670656991
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:WYWGzqeAoMq+YK0KF8cAJiI2i+uVrV0C/SAcrQb1o8ygX3KJvx:RqASpF8wFqa8SP8v6JZ
                                                                                                                            MD5:EAC7219D7514E3DB624FD2DFA63C5985
                                                                                                                            SHA1:AC7D38B5171840603101CF3BD8ABC604FFAEEF63
                                                                                                                            SHA-256:D86D27A46CBC1DD538D02498EC5E03BFDB71DFE5F294EDDA9DA33D354EC94895
                                                                                                                            SHA-512:063768A2A0CE9ED77CAD8AF74D4C89FE37CD2AB11AB7557C21AE90FE189F3C7F92802395799FD67A92C136C1F45A5BD5BA7BD9E5B62E7187B6579F1B710920DD
                                                                                                                            Malicious:true
                                                                                                                            Yara Hits:
                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\PSdiYEtw_DOSPKoK_uBheap.zip, Author: Joe Security
                                                                                                                            Preview:PK...........X................Cookies\..PK...........XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E.*.l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3A*p.U5UX....Z.g:*e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O|.....>K......L*...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u|....v...3.;L..U?..b.....u..*..... .......F...P.a...|R*3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

                                                                                                                            C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):13
                                                                                                                            Entropy (8bit):2.71929452566698
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:LXRJQn:bRen
                                                                                                                            MD5:1FCDAF381F15F605ABAAFF8DE3887A8B
                                                                                                                            SHA1:6940164F10801D9DA5792A4DDF59C4FAF2063B64
                                                                                                                            SHA-256:46EC0FC8056E99872F7040240226EED9F44C4BEF644630C1F7B06C8F88DC4514
                                                                                                                            SHA-512:4CFBA1A1A825C6EFAA0FE90C27CE924381F975E6A17C80A6495BBCC3A39AD6A9059071898632C61FCF8055082391C8A473ADDC62D1C501F8FA572A4488982071
                                                                                                                            Malicious:false
                                                                                                                            Preview:1715022640625

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanHju_g2DxItFq\02zdBXl47cvzcookies.sqlite

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):98304
                                                                                                                            Entropy (8bit):0.08235737944063153
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                            MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                            SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                            SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                            SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanHju_g2DxItFq\1bA0iPxs1_tpWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):106496
                                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanHju_g2DxItFq\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):5242880
                                                                                                                            Entropy (8bit):0.037963276276857943
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                            MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                            SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                            SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                            SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanHju_g2DxItFq\7Ndzc20NqBT6Login Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):49152
                                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanHju_g2DxItFq\D87fZN3R3jFeplaces.sqlite

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):5242880
                                                                                                                            Entropy (8bit):0.037963276276857943
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                            MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                            SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                            SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                            SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanHju_g2DxItFq\LjKc4cZCdkn6Login Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):40960
                                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanHju_g2DxItFq\N00nD6NyQ3cLCookies

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):28672
                                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanHju_g2DxItFq\NxTOOE3P877HHistory

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):126976
                                                                                                                            Entropy (8bit):0.47147045728725767
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                            MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                            SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                            SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                            SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanHju_g2DxItFq\QALFCGqIe0GzWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):106496
                                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanHju_g2DxItFq\QZolPj_wU7yvHistory

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):159744
                                                                                                                            Entropy (8bit):0.7873599747470391
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                            MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                            SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                            SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                            SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanHju_g2DxItFq\S9TwIATY7544Web Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):114688
                                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanHju_g2DxItFq\Y4Fgx64HQvbuWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):106496
                                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanHju_g2DxItFq\a7mDNvwnbxnHLogin Data For Account

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):40960
                                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanHju_g2DxItFq\erLXBsfZOb13History

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):126976
                                                                                                                            Entropy (8bit):0.47147045728725767
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                            MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                            SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                            SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                            SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanHju_g2DxItFq\m736MhFnnhWLWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):114688
                                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanHju_g2DxItFq\ru4TymmQRM2zWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):114688
                                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanHju_g2DxItFq\vd0z8wzGefD1History

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):159744
                                                                                                                            Entropy (8bit):0.7873599747470391
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                            MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                            SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                            SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                            SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanMW7ZIM5Bq6VF\02zdBXl47cvzcookies.sqlite

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):98304
                                                                                                                            Entropy (8bit):0.08235737944063153
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                            MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                            SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                            SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                            SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanMW7ZIM5Bq6VF\1TlhGNMGRIBAHistory

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):126976
                                                                                                                            Entropy (8bit):0.47147045728725767
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                            MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                            SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                            SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                            SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanMW7ZIM5Bq6VF\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):5242880
                                                                                                                            Entropy (8bit):0.037963276276857943
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                            MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                            SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                            SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                            SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanMW7ZIM5Bq6VF\4deeADJYPmpQWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):106496
                                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanMW7ZIM5Bq6VF\8ZyHikzPP6RfHistory

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):126976
                                                                                                                            Entropy (8bit):0.47147045728725767
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                            MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                            SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                            SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                            SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanMW7ZIM5Bq6VF\D87fZN3R3jFeplaces.sqlite

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):5242880
                                                                                                                            Entropy (8bit):0.037963276276857943
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                            MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                            SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                            SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                            SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanMW7ZIM5Bq6VF\Ip1jITBVvpfpWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):114688
                                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanMW7ZIM5Bq6VF\KD92s1mFJPJgLogin Data For Account

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):40960
                                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanMW7ZIM5Bq6VF\K_LAuSWvaNiyWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):106496
                                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanMW7ZIM5Bq6VF\LhmhqtkXTkbYHistory

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):159744
                                                                                                                            Entropy (8bit):0.7873599747470391
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                            MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                            SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                            SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                            SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanMW7ZIM5Bq6VF\N6snpryO8uf5Login Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):49152
                                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanMW7ZIM5Bq6VF\OXHUVahmxrt1Cookies

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):28672
                                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanMW7ZIM5Bq6VF\TLE_gXdWplrQLogin Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):40960
                                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanMW7ZIM5Bq6VF\UqNl41FdpO7sHistory

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):159744
                                                                                                                            Entropy (8bit):0.7873599747470391
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                            MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                            SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                            SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                            SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanMW7ZIM5Bq6VF\Y7ezkClN3tvGWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):106496
                                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanMW7ZIM5Bq6VF\c_G5qyHoUqdbWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):114688
                                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanMW7ZIM5Bq6VF\sQSDtQYbXNYdWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):114688
                                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanVDXBLDHnzSSM\02zdBXl47cvzcookies.sqlite

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):98304
                                                                                                                            Entropy (8bit):0.08235737944063153
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                            MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                            SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                            SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                            SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanVDXBLDHnzSSM\0bTBLNjSXQ3WWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):114688
                                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanVDXBLDHnzSSM\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):5242880
                                                                                                                            Entropy (8bit):0.037963276276857943
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                            MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                            SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                            SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                            SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanVDXBLDHnzSSM\BhPLdlMH4HviHistory

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):159744
                                                                                                                            Entropy (8bit):0.7873599747470391
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                            MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                            SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                            SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                            SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanVDXBLDHnzSSM\D87fZN3R3jFeplaces.sqlite

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):5242880
                                                                                                                            Entropy (8bit):0.037963276276857943
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                            MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                            SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                            SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                            SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanVDXBLDHnzSSM\DOGuPW8VgXDwWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):106496
                                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanVDXBLDHnzSSM\Hveaex_QIWEUWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):114688
                                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanVDXBLDHnzSSM\S1kWLfoUHhbSLogin Data

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):40960
                                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanVDXBLDHnzSSM\Ss_aLcG4kfDuHistory

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):126976
                                                                                                                            Entropy (8bit):0.47147045728725767
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                            MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                            SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                            SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                            SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanVDXBLDHnzSSM\Z82s7O924lLeWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):106496
                                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanVDXBLDHnzSSM\ZhaKbTXVRlMcLogin Data For Account

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):40960
                                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanVDXBLDHnzSSM\iCl1DNg_vvFNHistory

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):159744
                                                                                                                            Entropy (8bit):0.7873599747470391
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                            MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                            SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                            SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                            SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanVDXBLDHnzSSM\ruxveYYrnNxbWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):114688
                                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanVDXBLDHnzSSM\suF4nwudmtWhCookies

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):28672
                                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanVDXBLDHnzSSM\uxiBTU0fcTIoHistory

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):126976
                                                                                                                            Entropy (8bit):0.47147045728725767
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                            MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                            SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                            SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                            SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanVDXBLDHnzSSM\yabQsRD6rxEWLogin Data

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):49152
                                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanVDXBLDHnzSSM\ycP9pvgLeKxDWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):106496
                                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spansEwF_O0f6T2F\02zdBXl47cvzcookies.sqlite

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):98304
                                                                                                                            Entropy (8bit):0.08235737944063153
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                            MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                            SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                            SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                            SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spansEwF_O0f6T2F\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):5242880
                                                                                                                            Entropy (8bit):0.037963276276857943
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                            MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                            SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                            SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                            SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spansEwF_O0f6T2F\42h4yDt09kAFWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):106496
                                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spansEwF_O0f6T2F\D87fZN3R3jFeplaces.sqlite

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):5242880
                                                                                                                            Entropy (8bit):0.037963276276857943
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                            MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                            SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                            SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                            SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spansEwF_O0f6T2F\ELASOvMcSsNrHistory

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):159744
                                                                                                                            Entropy (8bit):0.7873599747470391
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                            MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                            SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                            SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                            SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spansEwF_O0f6T2F\HQFayTHWA4CIWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):114688
                                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spansEwF_O0f6T2F\OAwfuvRJ7Zo3History

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):159744
                                                                                                                            Entropy (8bit):0.7873599747470391
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                            MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                            SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                            SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                            SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spansEwF_O0f6T2F\OrF8rFJrkbX9Web Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):114688
                                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spansEwF_O0f6T2F\UaBkH_1UtTljHistory

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):126976
                                                                                                                            Entropy (8bit):0.47147045728725767
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                            MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                            SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                            SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                            SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spansEwF_O0f6T2F\V9veGYQ701aZWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):106496
                                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spansEwF_O0f6T2F\cCZagzzOxnzSLogin Data For Account

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):40960
                                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spansEwF_O0f6T2F\h7vTUP6iIQXbLogin Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):40960
                                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spansEwF_O0f6T2F\kGWzVJBhnyHSCookies

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):28672
                                                                                                                            Entropy (8bit):2.5793180405395284
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                            MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                            SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                            SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                            SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spansEwF_O0f6T2F\l9WMfadWVY3RHistory

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):126976
                                                                                                                            Entropy (8bit):0.47147045728725767
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                            MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                            SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                            SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                            SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spansEwF_O0f6T2F\ne2K7r4K6MmbWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):114688
                                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spansEwF_O0f6T2F\pSuV50rXNRR3Login Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):49152
                                                                                                                            Entropy (8bit):0.8180424350137764
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                            MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                            SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                            SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                            SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spansEwF_O0f6T2F\pTWMc6sLNinTWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):106496
                                                                                                                            Entropy (8bit):1.1358696453229276
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                            MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                            SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                            SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                            SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\tC131VXqxqwXyoqOe7muh9i.zip

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):5574
                                                                                                                            Entropy (8bit):7.898028478345893
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:RWGzqeAoMq+YK0KF8cAJiI2i+uZ7czpYizCaGnwdUUt0S3KJ2G:VqASpF8wFOIzTfZdUUOS6J2G
                                                                                                                            MD5:181A27FA5AF5932F05CBA9FE173536AE
                                                                                                                            SHA1:E2FA21601E1FFC2FEE7270F173EC6E3D6F835E12
                                                                                                                            SHA-256:1FB0A2B4677EC01D15EEE4828D78D6DFEA081F662AF47AB74F7A628DF82BDC5B
                                                                                                                            SHA-512:4BC872A05C20C7BF8D5F8DF2300799CAD9FB30363C91A95B6636E999DE0D4236DDAF8CE73007C34F5FB0770CB8F5D8EF878EF19419F6823522651C11F6F15A36
                                                                                                                            Malicious:true
                                                                                                                            Yara Hits:
                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\tC131VXqxqwXyoqOe7muh9i.zip, Author: Joe Security
                                                                                                                            Preview:PK...........X................Cookies\..PK...........XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E.*.l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3A*p.U5UX....Z.g:*e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O|.....>K......L*...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u|....v...3.;L..U?..b.....u..*..... .......F...P.a...|R*3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

                                                                                                                            C:\Users\user\AppData\Local\Temp\trixyHju_g2DxItFq\Cookies\Chrome_Default.txt

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:ASCII text, with very long lines (769), with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):6085
                                                                                                                            Entropy (8bit):6.038274200863744
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
                                                                                                                            MD5:ACB5AD34236C58F9F7D219FB628E3B58
                                                                                                                            SHA1:02E39404CA22F1368C46A7B8398F5F6001DB8F5C
                                                                                                                            SHA-256:05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
                                                                                                                            SHA-512:5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
                                                                                                                            Malicious:false
                                                                                                                            Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                                                                                                                            C:\Users\user\AppData\Local\Temp\trixyHju_g2DxItFq\information.txt

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):6597
                                                                                                                            Entropy (8bit):5.381904966077102
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:xdQ4zn5RoEcT4Aisph+9hcmpN8Xa77Y6lANUbg3x:xqECEvAtphWhcmpN8Xa7sB
                                                                                                                            MD5:0E695507ED2A8C5FF8124A8AF693AE01
                                                                                                                            SHA1:01CED25903043763C9CE64EEA02556A7B3D43ED7
                                                                                                                            SHA-256:3E790E17AE8188098232BE6EF2FD222C7DADA28AFA96EA285624BE80047BDF63
                                                                                                                            SHA-512:C860C7D495E6A21BCCCCCFB158F416CE8B520806C39C114A6242D3B1B74D000C2540F92822FCC198A614D857E1B73AB4F8439E8168C8BE5C3089F7BFE6B1FFE2
                                                                                                                            Malicious:false
                                                                                                                            Preview:Build: domen..Version: 2.0....Date: Mon May 6 20:08:16 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 7e55834bc82db041109988ce9c6b5293....Path: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixyHju_g2DxItFq....IP: 84.17.40.101..Location: US, Miami..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 936905 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 6/5/2024 20:8:16..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrvho

                                                                                                                            C:\Users\user\AppData\Local\Temp\trixyHju_g2DxItFq\passwords.txt

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):4897
                                                                                                                            Entropy (8bit):2.518316437186352
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                            MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                            SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                            SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                            SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                            Malicious:false
                                                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\trixyMW7ZIM5Bq6VF\Cookies\Chrome_Default.txt

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:ASCII text, with very long lines (769), with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):6085
                                                                                                                            Entropy (8bit):6.038274200863744
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
                                                                                                                            MD5:ACB5AD34236C58F9F7D219FB628E3B58
                                                                                                                            SHA1:02E39404CA22F1368C46A7B8398F5F6001DB8F5C
                                                                                                                            SHA-256:05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
                                                                                                                            SHA-512:5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
                                                                                                                            Malicious:false
                                                                                                                            Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                                                                                                                            C:\Users\user\AppData\Local\Temp\trixyMW7ZIM5Bq6VF\information.txt

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):6576
                                                                                                                            Entropy (8bit):5.373448179428926
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:xdQ4zZ5RoEcT4Aisph+9hcmpN8Xa77Y6lANUbg3x:xq4CEvAtphWhcmpN8Xa7sB
                                                                                                                            MD5:930E032F5DEA77A44698333A52DEFB69
                                                                                                                            SHA1:A74D3CD49EC58C26376E4BC88414306DD76B822D
                                                                                                                            SHA-256:3B9826CE5FA664406D0C5F2910C50361C4533B3696B41F74FA8EC0D4A7450DCF
                                                                                                                            SHA-512:BC62D5CA2610E9E8112676798CF8C7D7010AC32E77FE2B79C4CC1DAD1CFE7E7FC0343914D2EE4603E5AC5A4CC3B5DEE89033D9D7A67E0A078AAFEB8D5B6CFC50
                                                                                                                            Malicious:false
                                                                                                                            Preview:Build: domen..Version: 2.0....Date: Mon May 6 20:08:16 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 7e55834bc82db041109988ce9c6b5293....Path: C:\Users\user\Desktop\file.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixyMW7ZIM5Bq6VF....IP: 84.17.40.101..Location: US, Miami..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 936905 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 6/5/2024 20:8:16..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrvhost.exe [784]..svchost

                                                                                                                            C:\Users\user\AppData\Local\Temp\trixyMW7ZIM5Bq6VF\passwords.txt

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\file.exe
                                                                                                                            File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):4897
                                                                                                                            Entropy (8bit):2.518316437186352
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                            MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                            SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                            SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                            SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                            Malicious:false
                                                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\trixyVDXBLDHnzSSM\Cookies\Chrome_Default.txt

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:ASCII text, with very long lines (769), with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):6085
                                                                                                                            Entropy (8bit):6.038274200863744
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
                                                                                                                            MD5:ACB5AD34236C58F9F7D219FB628E3B58
                                                                                                                            SHA1:02E39404CA22F1368C46A7B8398F5F6001DB8F5C
                                                                                                                            SHA-256:05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
                                                                                                                            SHA-512:5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
                                                                                                                            Malicious:false
                                                                                                                            Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                                                                                                                            C:\Users\user\AppData\Local\Temp\trixyVDXBLDHnzSSM\information.txt

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):6392
                                                                                                                            Entropy (8bit):5.373770793597438
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:xd+4zq5RoKLcT4Aisph+9hcBp18B77Y6YANUbg3x:xI3CKLvAtphWhcBp18B7nB
                                                                                                                            MD5:A70CF1A3EB112594FC8FE6A68FF29338
                                                                                                                            SHA1:7A9F13419E522DCE27508415D8A68F6A9F303B96
                                                                                                                            SHA-256:F3EF57433D1876FDC9F35E989E076F3D2DCD1952FC512BADF4B604D69B03988D
                                                                                                                            SHA-512:D44A121050C62FC25654BDE6CBDD803DA4F99203798DB319E0BC6D2AB279B7C2C2EC38BA52CB06B9F554D03BB8A0F4D4CEB0911D5A37F0BD921D38CADFC72130
                                                                                                                            Malicious:false
                                                                                                                            Preview:Build: domen..Version: 2.0....Date: Mon May 6 20:08:47 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 7e55834bc82db041109988ce9c6b5293....Path: C:\ProgramData\MPGPH131\MPGPH131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixyVDXBLDHnzSSM....IP: 84.17.40.101..Location: US, Miami..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 936905 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 6/5/2024 20:8:47..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrvhost.exe [784]..sv

                                                                                                                            Static File Info

                                                                                                                            General

                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                            Entropy (8bit):7.981027272062894
                                                                                                                            TrID:
                                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                            File name:file.exe
                                                                                                                            File size:3'188'736 bytes
                                                                                                                            MD5:51014f1c86736d8f91d432548062ebbf
                                                                                                                            SHA1:6d0bab0a443ff43c293f57dface65dfea47501a9
                                                                                                                            SHA256:1845d2a25b628c6ff5e489f83ff975a0c8140bbeeb8ea05f5404a45ee2f9c7ea
                                                                                                                            SHA512:e05a72a5dede84005aedb80884ce191180bfd811a5aa197e18b5d467170b1e6b534b42eef3f37782355193663f952599d7eb6d0121a6f1adb2019cb3b547187d
                                                                                                                            SSDEEP:98304:DInXnNqIvqO74jZlyPeYy+sOnc6FqoMD:ygISO7sZae+FcSMD
                                                                                                                            TLSH:80E533103553754DF91C23BB0B7E4BB213606CB76A520BE7926D391FAAEB5C876084E2
                                                                                                                            File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

                                                                                                                            File Icon

                                                                                                                            Icon Hash:1e637808c76c1d83

                                                                                                                            Static PE Info

                                                                                                                            General

                                                                                                                            Entrypoint:0xf5ca8c
                                                                                                                            Entrypoint Section:.data
                                                                                                                            Digitally signed:false
                                                                                                                            Imagebase:0x400000
                                                                                                                            Subsystem:windows gui
                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                            Time Stamp:0x663639CA [Sat May 4 13:36:10 2024 UTC]
                                                                                                                            TLS Callbacks:
                                                                                                                            CLR (.Net) Version:
                                                                                                                            OS Version Major:6
                                                                                                                            OS Version Minor:0
                                                                                                                            File Version Major:6
                                                                                                                            File Version Minor:0
                                                                                                                            Subsystem Version Major:6
                                                                                                                            Subsystem Version Minor:0
                                                                                                                            Import Hash:272279f18f704f637aa129691266b291

                                                                                                                            Entrypoint Preview

                                                                                                                            Instruction
                                                                                                                            jmp 00007F8A1D4E259Ah
                                                                                                                            add byte ptr [eax+0000000Eh], bl
                                                                                                                            add byte ptr [eax], al
                                                                                                                            pushad
                                                                                                                            call 00007F8A1D4E2595h
                                                                                                                            pop ebp
                                                                                                                            sub ebp, 00000010h
                                                                                                                            sub ebp, 00B5CA8Ch
                                                                                                                            jmp 00007F8A1D4E2599h
                                                                                                                            and dword ptr [esi+edx-357347C5h], 000300B5h
                                                                                                                            add eax, 0000004Ch
                                                                                                                            mov ecx, 000005B0h
                                                                                                                            mov edx, E63CE4B7h
                                                                                                                            xor byte ptr [eax], dl
                                                                                                                            inc eax
                                                                                                                            dec ecx
                                                                                                                            jne 00007F8A1D4E258Ch
                                                                                                                            jmp 00007F8A1D4E2599h
                                                                                                                            cmp eax, 3CBFE389h
                                                                                                                            jp 00007F8A1D4E25CEh
                                                                                                                            mov esi, dword ptr [edi+7636B7B7h]
                                                                                                                            dec edi
                                                                                                                            mov bh, B7h
                                                                                                                            mov bh, B4h
                                                                                                                            jp 00007F8A1D4E25A1h
                                                                                                                            mov cl, B7h
                                                                                                                            mov bh, B7h
                                                                                                                            or eax, B7B7B79Fh
                                                                                                                            inc eax
                                                                                                                            push ebp
                                                                                                                            mov ah, 7Fh
                                                                                                                            cmp al, 36h
                                                                                                                            mov ebx, B4B7B7B7h
                                                                                                                            jc 00007F8A1D4E25CCh
                                                                                                                            rcl dword ptr [ebx-6C4CC1B5h], cl
                                                                                                                            cmp dl, bl
                                                                                                                            xchg eax, ebx
                                                                                                                            dec ebx
                                                                                                                            mov bl, 93h
                                                                                                                            fbld [edi-20486910h]
                                                                                                                            retf
                                                                                                                            xor al, 23h
                                                                                                                            mov bh, B6h
                                                                                                                            wait
                                                                                                                            xchg eax, ebx
                                                                                                                            fistp qword ptr [edi]
                                                                                                                            leave
                                                                                                                            sub bl, 0000005Fh
                                                                                                                            mov dl, B7h
                                                                                                                            mov bh, B7h
                                                                                                                            pop esi
                                                                                                                            xchg dword ptr [edi-2CC54849h], esi
                                                                                                                            xchg eax, ebx
                                                                                                                            dec ebx
                                                                                                                            wait
                                                                                                                            xchg eax, ebx
                                                                                                                            cmp bl, bl
                                                                                                                            xchg eax, ebx
                                                                                                                            mov bh, 3Ch
                                                                                                                            xor bh, byte ptr [edi+3CB7B7B7h]
                                                                                                                            and bh, byte ptr [ebx+3CB7B7B7h]
                                                                                                                            cmp ah, byte ptr [edi+76B7B7B7h]
                                                                                                                            pop esi
                                                                                                                            mov ch, 86h
                                                                                                                            mov ch, 34h
                                                                                                                            jne 00007F8A1D4E2545h

                                                                                                                            Data Directories

                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x9400500xd0b.data
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x940d5c0x3b0.data
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a10000xc8bc.rsrc
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x9400300x10.data
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x9400000x18.data
                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                            Sections

                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                            0x10000x15c0000x936001c30c55f327dff326a32a79b19e348d6False0.9999685247031382data7.999675017725288IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            0x15d0000x280000x1020074548ae799e79fc20306cc602d37a794False0.9983648255813954data7.99639087266641IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            0x1850000x50000x8003818ed903188218960f33e014f774303False0.9970703125data7.83802229172669IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            0x18a0000xd0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            0x1970000xa0000x6200190e1a61abc7d6a0a7c981417fcc65a3False0.9881616709183674data7.972593331740996IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            .rsrc0x1a10000xd0000xca006e46563fc615b7272cc3ab7b669e3874False0.6000541460396039data5.556770173829542IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                            0x1ae0000x78f0000x3280006bf0b39137a35cdc92c7a5f4bd29b27unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            .data0x93d0000x2210000x22100009fd6339de78073bdda8de6df01391d2unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                            Resources

                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                            RT_ICON0x1a13700x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152RussianRussia0.31402439024390244
                                                                                                                            RT_ICON0x1a19d80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512RussianRussia0.42338709677419356
                                                                                                                            RT_ICON0x1a1cc00x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288RussianRussia0.5061475409836066
                                                                                                                            RT_ICON0x1a1ea80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128RussianRussia0.5675675675675675
                                                                                                                            RT_ICON0x1a1fd00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsRussianRussia0.46961620469083154
                                                                                                                            RT_ICON0x1a2e780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsRussianRussia0.4020758122743682
                                                                                                                            RT_ICON0x1a37200x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsRussianRussia0.45506912442396313
                                                                                                                            RT_ICON0x1a3de80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsRussianRussia0.2904624277456647
                                                                                                                            RT_ICON0x1a43500x4b55PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedRussianRussia0.9921182266009853
                                                                                                                            RT_ICON0x1a8ea80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600RussianRussia0.316701244813278
                                                                                                                            RT_ICON0x1ab4500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia0.36186679174484054
                                                                                                                            RT_ICON0x1ac4f80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400RussianRussia0.42418032786885246
                                                                                                                            RT_ICON0x1ace800x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia0.5026595744680851
                                                                                                                            RT_GROUP_ICON0x1ad2e80xbcdataRussianRussia0.6170212765957447
                                                                                                                            RT_VERSION0x1ad3a40x398OpenPGP Public KeyRussianRussia0.42282608695652174
                                                                                                                            RT_MANIFEST0x1ad73c0x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                                            Imports

                                                                                                                            DLLImport
                                                                                                                            kernel32.dllGetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
                                                                                                                            user32.dllMessageBoxA
                                                                                                                            advapi32.dllRegCloseKey
                                                                                                                            oleaut32.dllSysFreeString
                                                                                                                            gdi32.dllCreateFontA
                                                                                                                            shell32.dllShellExecuteA
                                                                                                                            version.dllGetFileVersionInfoA
                                                                                                                            ole32.dllCoInitialize
                                                                                                                            WS2_32.dllWSAStartup
                                                                                                                            CRYPT32.dllCryptUnprotectData
                                                                                                                            SHLWAPI.dllPathFindExtensionA
                                                                                                                            gdiplus.dllGdipGetImageEncoders
                                                                                                                            SETUPAPI.dllSetupDiEnumDeviceInfo
                                                                                                                            ntdll.dllRtlUnicodeStringToAnsiString
                                                                                                                            RstrtMgr.DLLRmStartSession

                                                                                                                            Possible Origin

                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                            RussianRussia
                                                                                                                            EnglishUnited States

                                                                                                                            Network Behavior

                                                                                                                            Snort IDS Alerts

                                                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                            05/06/24-20:08:42.332746TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973158709192.168.2.4147.45.47.93
                                                                                                                            05/06/24-20:08:11.803337TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949730147.45.47.93192.168.2.4
                                                                                                                            05/06/24-20:07:53.913307TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949730147.45.47.93192.168.2.4
                                                                                                                            05/06/24-20:07:57.036164TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973058709192.168.2.4147.45.47.93
                                                                                                                            05/06/24-20:07:53.682907TCP2049060ET TROJAN RisePro TCP Heartbeat Packet4973058709192.168.2.4147.45.47.93
                                                                                                                            05/06/24-20:08:04.120685TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949733147.45.47.93192.168.2.4
                                                                                                                            05/06/24-20:08:05.646832TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949733147.45.47.93192.168.2.4
                                                                                                                            05/06/24-20:07:56.321028TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949732147.45.47.93192.168.2.4
                                                                                                                            05/06/24-20:08:18.051763TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973858709192.168.2.4147.45.47.93
                                                                                                                            05/06/24-20:07:56.309289TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949731147.45.47.93192.168.2.4
                                                                                                                            05/06/24-20:08:11.640975TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949738147.45.47.93192.168.2.4
                                                                                                                            05/06/24-20:08:15.381006TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949731147.45.47.93192.168.2.4
                                                                                                                            05/06/24-20:08:11.897367TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949738147.45.47.93192.168.2.4
                                                                                                                            05/06/24-20:08:09.259896TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973358709192.168.2.4147.45.47.93
                                                                                                                            05/06/24-20:08:30.364347TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973258709192.168.2.4147.45.47.93

                                                                                                                            Network Port Distribution

                                                                                                                            TCP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            May 6, 2024 20:07:53.429881096 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:07:53.671523094 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:07:53.671605110 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:07:53.682907104 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:07:53.913306952 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:07:53.957776070 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:07:53.976671934 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:07:55.824038982 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:07:55.824769974 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:07:56.065807104 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:07:56.065886021 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:07:56.066797018 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:07:56.066957951 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:07:56.071782112 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:07:56.072952032 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:07:56.309288979 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:07:56.321027994 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:07:56.364065886 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:07:56.364069939 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:07:56.367609978 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:07:57.036164045 CEST4973058709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:07:57.320930958 CEST5870949730147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:07:59.426615953 CEST4973158709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:07:59.457962036 CEST4973258709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:07:59.711488008 CEST5870949731147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:07:59.742330074 CEST5870949732147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:08:03.631109953 CEST4973358709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:08:03.875864983 CEST5870949733147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:08:03.875960112 CEST4973358709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:08:03.885246992 CEST4973358709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:08:04.120685101 CEST5870949733147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:08:04.176578999 CEST4973358709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:08:04.182113886 CEST5870949733147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:08:05.646831989 CEST5870949733147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:08:05.692157030 CEST4973358709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:08:05.936779976 CEST5870949733147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:08:05.989051104 CEST4973358709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:08:06.098227024 CEST4973358709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:08:06.103302002 CEST49734443192.168.2.434.117.186.192
                                                                                                                            May 6, 2024 20:08:06.103332996 CEST4434973434.117.186.192192.168.2.4
                                                                                                                            May 6, 2024 20:08:06.103409052 CEST49734443192.168.2.434.117.186.192
                                                                                                                            May 6, 2024 20:08:06.106945992 CEST49734443192.168.2.434.117.186.192
                                                                                                                            May 6, 2024 20:08:06.106961966 CEST4434973434.117.186.192192.168.2.4
                                                                                                                            May 6, 2024 20:08:06.339298964 CEST4434973434.117.186.192192.168.2.4
                                                                                                                            May 6, 2024 20:08:06.339395046 CEST49734443192.168.2.434.117.186.192
                                                                                                                            May 6, 2024 20:08:06.341357946 CEST49734443192.168.2.434.117.186.192
                                                                                                                            May 6, 2024 20:08:06.341366053 CEST4434973434.117.186.192192.168.2.4
                                                                                                                            May 6, 2024 20:08:06.341618061 CEST4434973434.117.186.192192.168.2.4
                                                                                                                            May 6, 2024 20:08:06.384519100 CEST5870949733147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:08:06.395313978 CEST49734443192.168.2.434.117.186.192
                                                                                                                            May 6, 2024 20:08:06.418107986 CEST49734443192.168.2.434.117.186.192
                                                                                                                            May 6, 2024 20:08:06.464109898 CEST4434973434.117.186.192192.168.2.4
                                                                                                                            May 6, 2024 20:08:06.599848032 CEST4434973434.117.186.192192.168.2.4
                                                                                                                            May 6, 2024 20:08:06.599961042 CEST4434973434.117.186.192192.168.2.4
                                                                                                                            May 6, 2024 20:08:06.603946924 CEST49734443192.168.2.434.117.186.192
                                                                                                                            May 6, 2024 20:08:08.198303938 CEST49734443192.168.2.434.117.186.192
                                                                                                                            May 6, 2024 20:08:08.198335886 CEST4434973434.117.186.192192.168.2.4
                                                                                                                            May 6, 2024 20:08:08.198354006 CEST49734443192.168.2.434.117.186.192
                                                                                                                            May 6, 2024 20:08:08.198359966 CEST4434973434.117.186.192192.168.2.4
                                                                                                                            May 6, 2024 20:08:08.373500109 CEST49735443192.168.2.4104.26.5.15
                                                                                                                            May 6, 2024 20:08:08.373542070 CEST44349735104.26.5.15192.168.2.4
                                                                                                                            May 6, 2024 20:08:08.373617887 CEST49735443192.168.2.4104.26.5.15
                                                                                                                            May 6, 2024 20:08:08.373917103 CEST49735443192.168.2.4104.26.5.15
                                                                                                                            May 6, 2024 20:08:08.373934031 CEST44349735104.26.5.15192.168.2.4
                                                                                                                            May 6, 2024 20:08:08.604105949 CEST44349735104.26.5.15192.168.2.4
                                                                                                                            May 6, 2024 20:08:08.604253054 CEST49735443192.168.2.4104.26.5.15
                                                                                                                            May 6, 2024 20:08:08.606523991 CEST49735443192.168.2.4104.26.5.15
                                                                                                                            May 6, 2024 20:08:08.606535912 CEST44349735104.26.5.15192.168.2.4
                                                                                                                            May 6, 2024 20:08:08.606745005 CEST44349735104.26.5.15192.168.2.4
                                                                                                                            May 6, 2024 20:08:08.607738972 CEST49735443192.168.2.4104.26.5.15
                                                                                                                            May 6, 2024 20:08:08.652112007 CEST44349735104.26.5.15192.168.2.4
                                                                                                                            May 6, 2024 20:08:08.964488983 CEST44349735104.26.5.15192.168.2.4
                                                                                                                            May 6, 2024 20:08:08.964575052 CEST44349735104.26.5.15192.168.2.4
                                                                                                                            May 6, 2024 20:08:08.964665890 CEST49735443192.168.2.4104.26.5.15
                                                                                                                            May 6, 2024 20:08:08.964890957 CEST49735443192.168.2.4104.26.5.15
                                                                                                                            May 6, 2024 20:08:08.964917898 CEST44349735104.26.5.15192.168.2.4
                                                                                                                            May 6, 2024 20:08:08.964930058 CEST49735443192.168.2.4104.26.5.15
                                                                                                                            May 6, 2024 20:08:08.964935064 CEST44349735104.26.5.15192.168.2.4
                                                                                                                            May 6, 2024 20:08:08.965241909 CEST4973358709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:08:09.259840012 CEST5870949733147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:08:09.259896040 CEST4973358709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:08:09.266164064 CEST5870949733147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:08:09.317173004 CEST4973358709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:08:09.556468010 CEST5870949733147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:08:09.556528091 CEST4973358709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:08:09.561661959 CEST5870949733147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:08:09.614058971 CEST4973358709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:08:09.853571892 CEST5870949733147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:08:09.858696938 CEST5870949733147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:08:09.910964012 CEST4973358709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:08:09.942348957 CEST4973358709192.168.2.4147.45.47.93
                                                                                                                            May 6, 2024 20:08:10.222027063 CEST5870949733147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:08:10.222080946 CEST5870949733147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:08:10.222093105 CEST5870949733147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:08:10.222107887 CEST5870949733147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:08:10.222120047 CEST5870949733147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:08:10.222131968 CEST5870949733147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:08:10.222142935 CEST5870949733147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:08:10.222156048 CEST5870949733147.45.47.93192.168.2.4
                                                                                                                            May 6, 2024 20:08:10.222155094 CEST4973358709192.168.2.4147.45.47.93

                                                                                                                            UDP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            May 6, 2024 20:08:05.762731075 CEST6355753192.168.2.41.1.1.1
                                                                                                                            May 6, 2024 20:08:05.874954939 CEST53635571.1.1.1192.168.2.4
                                                                                                                            May 6, 2024 20:08:08.260582924 CEST5817553192.168.2.41.1.1.1
                                                                                                                            May 6, 2024 20:08:08.372803926 CEST53581751.1.1.1192.168.2.4

                                                                                                                            DNS Queries

                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                            May 6, 2024 20:08:05.762731075 CEST192.168.2.41.1.1.10x6e54Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                                                                                                            May 6, 2024 20:08:08.260582924 CEST192.168.2.41.1.1.10xc7acStandard query (0)db-ip.comA (IP address)IN (0x0001)false

                                                                                                                            DNS Answers

                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                            May 6, 2024 20:08:05.874954939 CEST1.1.1.1192.168.2.40x6e54No error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false
                                                                                                                            May 6, 2024 20:08:08.372803926 CEST1.1.1.1192.168.2.40xc7acNo error (0)db-ip.com104.26.5.15A (IP address)IN (0x0001)false
                                                                                                                            May 6, 2024 20:08:08.372803926 CEST1.1.1.1192.168.2.40xc7acNo error (0)db-ip.com172.67.75.166A (IP address)IN (0x0001)false
                                                                                                                            May 6, 2024 20:08:08.372803926 CEST1.1.1.1192.168.2.40xc7acNo error (0)db-ip.com104.26.4.15A (IP address)IN (0x0001)false

                                                                                                                            HTTP Request Dependency Graph

                                                                                                                            • https:
                                                                                                                              • ipinfo.io
                                                                                                                            • db-ip.com

                                                                                                                            Statistics

                                                                                                                            Behavior

                                                                                                                            Click to jump to process

                                                                                                                            System Behavior

                                                                                                                            General

                                                                                                                            Target ID:0
                                                                                                                            Start time:20:07:50
                                                                                                                            Start date:06/05/2024
                                                                                                                            Path:C:\Users\user\Desktop\file.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                            Imagebase:0xf70000
                                                                                                                            File size:3'188'736 bytes
                                                                                                                            MD5 hash:51014F1C86736D8F91D432548062EBBF
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:Borland Delphi
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2023815185.0000000001CEC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.1907164226.0000000001CE6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:1
                                                                                                                            Start time:20:07:52
                                                                                                                            Start date:06/05/2024
                                                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                                                                                                            Imagebase:0xeb0000
                                                                                                                            File size:187'904 bytes
                                                                                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:2
                                                                                                                            Start time:20:07:52
                                                                                                                            Start date:06/05/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:3
                                                                                                                            Start time:20:07:52
                                                                                                                            Start date:06/05/2024
                                                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                                                                                                            Imagebase:0xeb0000
                                                                                                                            File size:187'904 bytes
                                                                                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:4
                                                                                                                            Start time:20:07:52
                                                                                                                            Start date:06/05/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:5
                                                                                                                            Start time:20:07:53
                                                                                                                            Start date:06/05/2024
                                                                                                                            Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            Imagebase:0x2e0000
                                                                                                                            File size:3'188'736 bytes
                                                                                                                            MD5 hash:51014F1C86736D8F91D432548062EBBF
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:Borland Delphi
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000002.2173403489.0000000001838000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000003.2110910326.0000000001838000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000002.2173403489.000000000174D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            Antivirus matches:
                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                            • Detection: 39%, ReversingLabs
                                                                                                                            • Detection: 40%, Virustotal, Browse
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:6
                                                                                                                            Start time:20:07:53
                                                                                                                            Start date:06/05/2024
                                                                                                                            Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            Imagebase:0x2e0000
                                                                                                                            File size:3'188'736 bytes
                                                                                                                            MD5 hash:51014F1C86736D8F91D432548062EBBF
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:Borland Delphi
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:7
                                                                                                                            Start time:20:08:00
                                                                                                                            Start date:06/05/2024
                                                                                                                            Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                                                                                                            Imagebase:0x610000
                                                                                                                            File size:3'188'736 bytes
                                                                                                                            MD5 hash:51014F1C86736D8F91D432548062EBBF
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:Borland Delphi
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000002.2022464307.000000000191E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            Antivirus matches:
                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                            • Detection: 39%, ReversingLabs
                                                                                                                            • Detection: 40%, Virustotal, Browse
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:8
                                                                                                                            Start time:20:08:08
                                                                                                                            Start date:06/05/2024
                                                                                                                            Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                                                                                                            Imagebase:0x610000
                                                                                                                            File size:3'188'736 bytes
                                                                                                                            MD5 hash:51014F1C86736D8F91D432548062EBBF
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:Borland Delphi
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000002.2015798047.0000000001A18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:12
                                                                                                                            Start time:20:08:16
                                                                                                                            Start date:06/05/2024
                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7672 -s 1944
                                                                                                                            Imagebase:0x530000
                                                                                                                            File size:483'680 bytes
                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:16
                                                                                                                            Start time:20:08:19
                                                                                                                            Start date:06/05/2024
                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 1908
                                                                                                                            Imagebase:0x530000
                                                                                                                            File size:483'680 bytes
                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:18
                                                                                                                            Start time:20:08:20
                                                                                                                            Start date:06/05/2024
                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7428 -s 1980
                                                                                                                            Imagebase:0x530000
                                                                                                                            File size:483'680 bytes
                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:20
                                                                                                                            Start time:20:08:43
                                                                                                                            Start date:06/05/2024
                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 1960
                                                                                                                            Imagebase:0x530000
                                                                                                                            File size:483'680 bytes
                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            Disassembly

                                                                                                                            No disassembly