Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bUHMq54m6Q.exe

Overview

General Information

Sample name:bUHMq54m6Q.exe
renamed because original name is a hash value
Original sample name:2cf4b5cf327757376e717ab5554b921b.exe
Analysis ID:1437130
MD5:2cf4b5cf327757376e717ab5554b921b
SHA1:020751e48f382dbd25341228e0acf66818428b12
SHA256:a275c369ef53eba4655ca43244e230fd7b38e45dbf25fc0b614918a58b3d07a6
Tags:exeRiseProStealer
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • bUHMq54m6Q.exe (PID: 6556 cmdline: "C:\Users\user\Desktop\bUHMq54m6Q.exe" MD5: 2CF4B5CF327757376E717AB5554B921B)
    • schtasks.exe (PID: 3560 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 3200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5412 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 1836 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6556 -s 1888 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 4896 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 2CF4B5CF327757376E717AB5554B921B)
    • WerFault.exe (PID: 5088 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1148 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 2836 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 2CF4B5CF327757376E717AB5554B921B)
  • RageMP131.exe (PID: 3604 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 2CF4B5CF327757376E717AB5554B921B)
  • RageMP131.exe (PID: 5700 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 2CF4B5CF327757376E717AB5554B921B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\NoSoV6eJxRbhlNXMC2XnYgm.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    C:\Users\user\AppData\Local\Temp\eK26yDxmyAbMrjg7CdmfOmj.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000003.2159759925.0000000005C56000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
        00000000.00000002.2276746268.000000000122E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
          00000000.00000002.2280792333.0000000005C5F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
            00000006.00000002.2282419782.0000000005A70000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
              00000000.00000002.2280715188.0000000005C30000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                Click to see the 7 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\bUHMq54m6Q.exe, ProcessId: 6556, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

                Snort Signatures

                Timestamp:05/07/24-01:32:16.104894
                SID:2046266
                Source Port:58709
                Destination Port:49703
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:05/07/24-01:32:30.432420
                SID:2046266
                Source Port:58709
                Destination Port:49720
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:05/07/24-01:32:13.660877
                SID:2046266
                Source Port:58709
                Destination Port:49699
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:05/07/24-01:32:13.858546
                SID:2046267
                Source Port:58709
                Destination Port:49699
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:05/07/24-01:32:16.124524
                SID:2046266
                Source Port:58709
                Destination Port:49702
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:05/07/24-01:32:13.477244
                SID:2049060
                Source Port:49699
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:05/07/24-01:32:19.524067
                SID:2046269
                Source Port:49699
                Destination Port:58709
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:05/07/24-01:32:39.555621
                SID:2046266
                Source Port:58709
                Destination Port:49724
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://147.45.47.102:57893/hera/amadka.exeAvira URL Cloud: Label: malware
                Multi AV Scanner detection for dropped file
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeReversingLabs: Detection: 47%
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeReversingLabs: Detection: 47%
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJoe Sandbox ML: detected
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: bUHMq54m6Q.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005D6A80 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FC6A80 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,
                Source: bUHMq54m6Q.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49700 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49701 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49705 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49704 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49722 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49723 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49725 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49726 version: TLS 1.2
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005F66F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005A3EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005EFE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_00541F9C FindClose,FindFirstFileExW,GetLastError,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005D5F80 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_00542022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005A3850 FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FE66F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F93EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FDFE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F31F9C FindClose,FindFirstFileExW,GetLastError,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FC5F80 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F32022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F93850 FindFirstFileA,FindNextFileA,GetLastError,FindClose,

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.6:49699 -> 147.45.47.126:58709
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.126:58709 -> 192.168.2.6:49699
                Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.126:58709 -> 192.168.2.6:49699
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.126:58709 -> 192.168.2.6:49703
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.126:58709 -> 192.168.2.6:49702
                Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49699 -> 147.45.47.126:58709
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.126:58709 -> 192.168.2.6:49720
                Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.126:58709 -> 192.168.2.6:49724
                Connects to many ports of the same IP (likely port scanning)
                Source: global trafficTCP traffic: 147.45.47.126 ports 0,5,7,8,58709,9
                Source: global trafficTCP traffic: 192.168.2.6:49699 -> 147.45.47.126:58709
                Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                Source: Joe Sandbox ViewIP Address: 147.45.47.126 147.45.47.126
                Source: Joe Sandbox ViewIP Address: 104.26.4.15 104.26.4.15
                Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: unknownDNS query: name: ipinfo.io
                Source: unknownDNS query: name: ipinfo.io
                Source: unknownDNS query: name: ipinfo.io
                Source: unknownDNS query: name: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/156.146.37.102 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=156.146.37.102 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/156.146.37.102 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/156.146.37.102 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=156.146.37.102 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=156.146.37.102 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/156.146.37.102 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=156.146.37.102 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/156.146.37.102 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=156.146.37.102 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005D8510 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,FreeAddrInfoW,WSACleanup,FreeAddrInfoW,
                Source: global trafficHTTP traffic detected: GET /widget/demo/156.146.37.102 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=156.146.37.102 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/156.146.37.102 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /widget/demo/156.146.37.102 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=156.146.37.102 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=156.146.37.102 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/156.146.37.102 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=156.146.37.102 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficHTTP traffic detected: GET /widget/demo/156.146.37.102 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                Source: global trafficHTTP traffic detected: GET /demo/home.php?s=156.146.37.102 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                Source: global trafficDNS traffic detected: DNS query: ipinfo.io
                Source: global trafficDNS traffic detected: DNS query: db-ip.com
                Source: bUHMq54m6Q.exe, 00000000.00000002.2276746268.00000000012BC000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2158606160.0000000005C71000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2159759925.0000000005C73000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2158405940.0000000005C71000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000002.2280792333.0000000005C73000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2158512133.0000000005C71000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2174199079.0000000001CA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
                Source: bUHMq54m6Q.exe, 00000000.00000003.2158606160.0000000005C71000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2159759925.0000000005C73000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2158405940.0000000005C71000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000002.2280792333.0000000005C73000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2158512133.0000000005C71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe)=
                Source: MPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe68.0
                Source: MPGPH131.exe, 00000007.00000002.2174199079.0000000001CA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeaO
                Source: MPGPH131.exe, 00000007.00000002.2174199079.0000000001CA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.23
                Source: bUHMq54m6Q.exe, 00000000.00000002.2276746268.00000000012BC000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2158606160.0000000005C71000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2159759925.0000000005C73000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000002.2280792333.0000000005C73000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2158512133.0000000005C71000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2174199079.0000000001CA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/cost/go.exe
                Source: bUHMq54m6Q.exe, 00000000.00000002.2276746268.00000000012BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/cost/go.exe207
                Source: MPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/cost/go.exeServer
                Source: bUHMq54m6Q.exe, 00000000.00000003.2158606160.0000000005C71000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2159759925.0000000005C73000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000002.2280792333.0000000005C73000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2158512133.0000000005C71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/cost/go.exeTerracoin=
                Source: MPGPH131.exe, 00000007.00000002.2174199079.0000000001CA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/cost/go.exeWOUl-
                Source: MPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2174199079.0000000001CA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/cost/lenin.exe
                Source: MPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
                Source: bUHMq54m6Q.exe, 00000000.00000002.2272966412.000000000066D000.00000002.00000001.01000000.00000003.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2086040857.0000000001180000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2114405302.0000000000C50000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2277258884.000000000105D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2168458625.000000000105D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2114630366.0000000001A50000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2324438250.00000000004BD000.00000002.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000E.00000003.2255008440.0000000002A30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2427181585.00000000004BD000.00000002.00000001.01000000.00000008.sdmp, RageMP131.exe, 00000012.00000003.2337606735.0000000002BE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
                Source: bUHMq54m6Q.exe, 00000000.00000003.2150265902.0000000005C6F000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2152690333.0000000005C93000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2151263071.0000000005C92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181530040.0000000005EFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2179554394.0000000005EFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2180030463.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, RVFvq_w1ZQYbWeb Data.0.dr, 9V16nhm0bFZXWeb Data.0.dr, LmI4gt7uNt6lWeb Data.0.dr, uH4Klb1syK8iWeb Data.6.dr, KsIfLLPbfavZWeb Data.6.dr, e0WJiscSE76mWeb Data.6.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: bUHMq54m6Q.exe, 00000000.00000003.2150265902.0000000005C6F000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2152690333.0000000005C93000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2151263071.0000000005C92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181530040.0000000005EFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2179554394.0000000005EFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2180030463.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, RVFvq_w1ZQYbWeb Data.0.dr, 9V16nhm0bFZXWeb Data.0.dr, LmI4gt7uNt6lWeb Data.0.dr, uH4Klb1syK8iWeb Data.6.dr, KsIfLLPbfavZWeb Data.6.dr, e0WJiscSE76mWeb Data.6.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: bUHMq54m6Q.exe, 00000000.00000003.2150265902.0000000005C6F000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2152690333.0000000005C93000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2151263071.0000000005C92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181530040.0000000005EFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2179554394.0000000005EFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2180030463.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, RVFvq_w1ZQYbWeb Data.0.dr, 9V16nhm0bFZXWeb Data.0.dr, LmI4gt7uNt6lWeb Data.0.dr, uH4Klb1syK8iWeb Data.6.dr, KsIfLLPbfavZWeb Data.6.dr, e0WJiscSE76mWeb Data.6.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: bUHMq54m6Q.exe, 00000000.00000003.2150265902.0000000005C6F000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2152690333.0000000005C93000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2151263071.0000000005C92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181530040.0000000005EFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2179554394.0000000005EFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2180030463.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, RVFvq_w1ZQYbWeb Data.0.dr, 9V16nhm0bFZXWeb Data.0.dr, LmI4gt7uNt6lWeb Data.0.dr, uH4Klb1syK8iWeb Data.6.dr, KsIfLLPbfavZWeb Data.6.dr, e0WJiscSE76mWeb Data.6.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: RageMP131.exe, 0000000E.00000002.2325536566.00000000010F0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2429829682.00000000011BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/
                Source: MPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2174199079.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2325536566.00000000010F0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2429829682.00000000011BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102
                Source: RageMP131.exe, 0000000E.00000002.2325536566.00000000010F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102D
                Source: MPGPH131.exe, 00000007.00000002.2174199079.0000000001CA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102LS
                Source: RageMP131.exe, 00000012.00000002.2429829682.00000000011BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=156.146.37.102_i
                Source: MPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2174199079.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2325536566.00000000010F0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2429829682.00000000011BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=156.146.37.102
                Source: bUHMq54m6Q.exe, 00000000.00000002.2276746268.00000000012BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=156.146.37.102A
                Source: bUHMq54m6Q.exe, 00000000.00000003.2150265902.0000000005C6F000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2152690333.0000000005C93000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2151263071.0000000005C92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181530040.0000000005EFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2179554394.0000000005EFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2180030463.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, RVFvq_w1ZQYbWeb Data.0.dr, 9V16nhm0bFZXWeb Data.0.dr, LmI4gt7uNt6lWeb Data.0.dr, uH4Klb1syK8iWeb Data.6.dr, KsIfLLPbfavZWeb Data.6.dr, e0WJiscSE76mWeb Data.6.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: bUHMq54m6Q.exe, 00000000.00000003.2150265902.0000000005C6F000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2152690333.0000000005C93000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2151263071.0000000005C92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181530040.0000000005EFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2179554394.0000000005EFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2180030463.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, RVFvq_w1ZQYbWeb Data.0.dr, 9V16nhm0bFZXWeb Data.0.dr, LmI4gt7uNt6lWeb Data.0.dr, uH4Klb1syK8iWeb Data.6.dr, KsIfLLPbfavZWeb Data.6.dr, e0WJiscSE76mWeb Data.6.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: bUHMq54m6Q.exe, 00000000.00000003.2150265902.0000000005C6F000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2152690333.0000000005C93000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2151263071.0000000005C92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181530040.0000000005EFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2179554394.0000000005EFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2180030463.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, RVFvq_w1ZQYbWeb Data.0.dr, 9V16nhm0bFZXWeb Data.0.dr, LmI4gt7uNt6lWeb Data.0.dr, uH4Klb1syK8iWeb Data.6.dr, KsIfLLPbfavZWeb Data.6.dr, e0WJiscSE76mWeb Data.6.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: RageMP131.exe, 00000012.00000002.2429829682.0000000001180000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2429829682.0000000001172000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
                Source: MPGPH131.exe, 00000006.00000002.2275133356.0000000000CF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/$E
                Source: bUHMq54m6Q.exe, 00000000.00000002.2276746268.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2174199079.0000000001C9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2325536566.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2429829682.00000000011BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
                Source: bUHMq54m6Q.exe, 00000000.00000002.2276746268.000000000129C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/e7
                Source: bUHMq54m6Q.exe, 00000000.00000002.2272966412.000000000066D000.00000002.00000001.01000000.00000003.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2086040857.0000000001180000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2114405302.0000000000C50000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2277258884.000000000105D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2168458625.000000000105D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2114630366.0000000001A50000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2324438250.00000000004BD000.00000002.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000E.00000003.2255008440.0000000002A30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2427181585.00000000004BD000.00000002.00000001.01000000.00000008.sdmp, RageMP131.exe, 00000012.00000003.2337606735.0000000002BE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
                Source: RageMP131.exe, 0000000E.00000002.2325536566.00000000010C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/o
                Source: MPGPH131.exe, 00000007.00000002.2174199079.0000000001C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/t
                Source: bUHMq54m6Q.exe, 00000000.00000002.2276746268.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000002.2276746268.000000000126C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2275133356.0000000000D1B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2174199079.0000000001C6F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2174199079.0000000001C9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2325536566.00000000010AC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2325536566.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2429829682.00000000011BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2429829682.0000000001190000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/156.146.37.102
                Source: MPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/156.146.37.102=
                Source: RageMP131.exe, 0000000E.00000002.2325536566.00000000010AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/156.146.37.102d
                Source: MPGPH131.exe, 00000006.00000002.2275133356.0000000000D1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/156.146.37.102p
                Source: MPGPH131.exe, 00000007.00000002.2174199079.0000000001C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/x
                Source: bUHMq54m6Q.exe, 00000000.00000002.2276746268.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2174199079.0000000001C9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2325536566.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2429829682.00000000011BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/156.146.37.102
                Source: D87fZN3R3jFeplaces.sqlite.7.drString found in binary or memory: https://support.mozilla.org
                Source: D87fZN3R3jFeplaces.sqlite.7.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: D87fZN3R3jFeplaces.sqlite.7.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
                Source: bUHMq54m6Q.exe, 00000000.00000003.2159759925.0000000005C56000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000002.2276746268.000000000122E000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000002.2280792333.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000002.2280715188.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2275133356.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2282419782.0000000005A70000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2174199079.0000000001C27000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2325536566.000000000105E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2429829682.0000000001147000.00000004.00000020.00020000.00000000.sdmp, NoSoV6eJxRbhlNXMC2XnYgm.zip.6.dr, eK26yDxmyAbMrjg7CdmfOmj.zip.0.drString found in binary or memory: https://t.me/RiseProSUPPORT
                Source: RageMP131.exe, 00000012.00000002.2429829682.0000000001147000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT2
                Source: MPGPH131.exe, 00000006.00000002.2282419782.0000000005A70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT=L
                Source: bUHMq54m6Q.exe, 00000000.00000003.2159759925.0000000005C56000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000002.2280792333.0000000005C5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTBB~
                Source: bUHMq54m6Q.exe, 00000000.00000002.2280715188.0000000005C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTP
                Source: RageMP131.exe, 0000000E.00000002.2325536566.000000000105E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTPROCESSOR_LEVEL=6PROCES
                Source: bUHMq54m6Q.exe, 00000000.00000002.2276746268.000000000122E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTf
                Source: MPGPH131.exe, 00000006.00000002.2275133356.0000000000CBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTq3i
                Source: RageMP131.exe, 00000012.00000002.2429829682.00000000011BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2429829682.000000000121F000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr, passwords.txt.6.drString found in binary or memory: https://t.me/risepro_bot
                Source: RageMP131.exe, 0000000E.00000002.2325536566.00000000010F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot7.102
                Source: MPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botPrim
                Source: MPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botisepro_bot_Aj
                Source: RageMP131.exe, 00000012.00000002.2429829682.00000000011BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botr5
                Source: RageMP131.exe, 00000012.00000002.2429829682.00000000011BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botrisep
                Source: RageMP131.exe, 0000000E.00000002.2325536566.00000000010F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botrisepro
                Source: MPGPH131.exe, 00000007.00000002.2174199079.0000000001CA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botrisepro;O
                Source: bUHMq54m6Q.exe, 00000000.00000002.2276746268.00000000012BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botz
                Source: bUHMq54m6Q.exe, 00000000.00000003.2150265902.0000000005C6F000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2152690333.0000000005C93000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2151263071.0000000005C92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181530040.0000000005EFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2179554394.0000000005EFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2180030463.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, RVFvq_w1ZQYbWeb Data.0.dr, 9V16nhm0bFZXWeb Data.0.dr, LmI4gt7uNt6lWeb Data.0.dr, uH4Klb1syK8iWeb Data.6.dr, KsIfLLPbfavZWeb Data.6.dr, e0WJiscSE76mWeb Data.6.drString found in binary or memory: https://www.ecosia.org/newtab/
                Source: bUHMq54m6Q.exe, 00000000.00000003.2150265902.0000000005C6F000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2152690333.0000000005C93000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2151263071.0000000005C92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181530040.0000000005EFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2179554394.0000000005EFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2180030463.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, RVFvq_w1ZQYbWeb Data.0.dr, 9V16nhm0bFZXWeb Data.0.dr, LmI4gt7uNt6lWeb Data.0.dr, uH4Klb1syK8iWeb Data.6.dr, KsIfLLPbfavZWeb Data.6.dr, e0WJiscSE76mWeb Data.6.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: bUHMq54m6Q.exe, MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                Source: 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr, 3b6N2Xdh3CYwplaces.sqlite.7.dr, D87fZN3R3jFeplaces.sqlite.7.drString found in binary or memory: https://www.mozilla.org
                Source: D87fZN3R3jFeplaces.sqlite.7.drString found in binary or memory: https://www.mozilla.org#
                Source: D87fZN3R3jFeplaces.sqlite.7.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
                Source: D87fZN3R3jFeplaces.sqlite.7.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
                Source: D87fZN3R3jFeplaces.sqlite.7.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49700 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49701 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49705 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49704 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49722 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49723 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49725 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.6:49726 version: TLS 1.2
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005F5F70 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,701574A0,DeleteObject,DeleteObject,ReleaseDC,

                System Summary

                barindex
                PE file contains section with special chars
                Source: bUHMq54m6Q.exeStatic PE information: section name:
                Source: bUHMq54m6Q.exeStatic PE information: section name:
                Source: bUHMq54m6Q.exeStatic PE information: section name:
                Source: bUHMq54m6Q.exeStatic PE information: section name:
                Source: bUHMq54m6Q.exeStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005AF050
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_0055002D
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005BA180
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005A6330
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005AD320
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005A03C0
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005EE3B0
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_0064F480
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005E7580
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005A8630
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_0051B8E0
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_00591B90
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_0060AC30
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005A3EC0
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005AAEE0
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005EFE80
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005EEFB0
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005A3000
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005471A0
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005B42A0
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_0055036F
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_00594560
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_006585F0
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005B3590
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_0053F580
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_00657690
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005F7760
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005647BF
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_0054C960
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_0054A928
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_0055DA86
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_00568BB0
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005FEBA0
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005FFBA0
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_00644C70
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_00656C50
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_00655D10
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_00651E30
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_00568E30
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_00602F30
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F9F050
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F4002D
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FAA180
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F903C0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FDE3B0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F96330
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F9D320
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FD7580
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0103F480
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F98630
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F0B8E0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F81B90
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_01045D10
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FFAC30
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F9AEE0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F93EC0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FDFE80
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FDEFB0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F93000
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F371A0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FA42A0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F4036F
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_010485F0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FA3590
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F2F580
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F84560
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F547BF
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_01047690
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FE7760
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F3C960
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F3A928
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F3AAEF
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F4DA86
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F58BB0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FEEBA0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FEFBA0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_01046C50
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_01034C70
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F58E30
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_01041E30
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FF2F30
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: String function: 0052ACE0 appears 86 times
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 00F1ACE0 appears 86 times
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6556 -s 1888
                Source: bUHMq54m6Q.exeStatic PE information: Number of sections : 12 > 10
                Source: RageMP131.exe.0.drStatic PE information: Number of sections : 12 > 10
                Source: MPGPH131.exe.0.drStatic PE information: Number of sections : 12 > 10
                Source: bUHMq54m6Q.exeBinary or memory string: OriginalFilename vs bUHMq54m6Q.exe
                Source: bUHMq54m6Q.exe, 00000000.00000002.2273112638.00000000006B7000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs bUHMq54m6Q.exe
                Source: bUHMq54m6Q.exe, 00000000.00000003.2086143976.0000000001110000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs bUHMq54m6Q.exe
                Source: bUHMq54m6Q.exe, 00000000.00000002.2273029672.000000000069A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs bUHMq54m6Q.exe
                Source: bUHMq54m6Q.exeBinary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs bUHMq54m6Q.exe
                Source: bUHMq54m6Q.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: bUHMq54m6Q.exeStatic PE information: Section: ZLIB complexity 1.000030517578125
                Source: bUHMq54m6Q.exeStatic PE information: Section: ZLIB complexity 0.9986979166666666
                Source: bUHMq54m6Q.exeStatic PE information: Section: ZLIB complexity 0.9992461622807017
                Source: bUHMq54m6Q.exeStatic PE information: Section: ZLIB complexity 0.9952713815789473
                Source: bUHMq54m6Q.exeStatic PE information: Section: .reloc ZLIB complexity 1.5
                Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 1.000030517578125
                Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9986979166666666
                Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9992461622807017
                Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9952713815789473
                Source: RageMP131.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
                Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 1.000030517578125
                Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9986979166666666
                Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9992461622807017
                Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9952713815789473
                Source: MPGPH131.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.5
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@13/58@3/3
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005EFE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3200:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4412:120:WilError_03
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6556
                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4896
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeFile created: C:\Users\user\AppData\Local\Temp\rage131MP.tmpJump to behavior
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: bUHMq54m6Q.exe, 00000000.00000002.2272966412.000000000066D000.00000002.00000001.01000000.00000003.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2086040857.0000000001180000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2114405302.0000000000C50000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2277258884.000000000105D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2168458625.000000000105D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2114630366.0000000001A50000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2324438250.00000000004BD000.00000002.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000E.00000003.2255008440.0000000002A30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2427181585.00000000004BD000.00000002.00000001.01000000.00000008.sdmp, RageMP131.exe, 00000012.00000003.2337606735.0000000002BE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: bUHMq54m6Q.exe, 00000000.00000002.2272966412.000000000066D000.00000002.00000001.01000000.00000003.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2086040857.0000000001180000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2114405302.0000000000C50000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2277258884.000000000105D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2168458625.000000000105D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2114630366.0000000001A50000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2324438250.00000000004BD000.00000002.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000E.00000003.2255008440.0000000002A30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2427181585.00000000004BD000.00000002.00000001.01000000.00000008.sdmp, RageMP131.exe, 00000012.00000003.2337606735.0000000002BE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: MPGPH131.exe, 00000006.00000003.2179282683.0000000005EE4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2178981488.0000000005EE3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2179140207.0000000005EE9000.00000004.00000020.00020000.00000000.sdmp, JEr8lVONTEQKLogin Data.0.dr, IuMVYmRLxIIELogin Data.6.dr, 1oBLao5WFReeLogin Data For Account.6.dr, W4StvYRvRm8RLogin Data.6.dr, lKkvrLBG06UiLogin Data For Account.0.dr, wib805ADjjQsLogin Data.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: bUHMq54m6Q.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeFile read: C:\Users\user\Desktop\bUHMq54m6Q.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\bUHMq54m6Q.exe "C:\Users\user\Desktop\bUHMq54m6Q.exe"
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6556 -s 1888
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1148
                Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: apphelp.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: rstrtmgr.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: ncrypt.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: ntasn1.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: d3d11.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: dxgi.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: d3d10warp.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: dxcore.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: sspicli.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: ntmarta.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: winhttp.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: wininet.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: mswsock.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: devobj.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: webio.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: winnsi.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: schannel.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: mskeyprotect.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: ncryptsslp.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: msasn1.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: gpapi.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: wldp.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: vaultcli.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: wintypes.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dll
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: apphelp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dll
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: bUHMq54m6Q.exeStatic file information: File size 2298896 > 1048576
                Source: bUHMq54m6Q.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x187400
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005DF200 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,
                Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
                Source: bUHMq54m6Q.exeStatic PE information: section name:
                Source: bUHMq54m6Q.exeStatic PE information: section name:
                Source: bUHMq54m6Q.exeStatic PE information: section name:
                Source: bUHMq54m6Q.exeStatic PE information: section name:
                Source: bUHMq54m6Q.exeStatic PE information: section name:
                Source: bUHMq54m6Q.exeStatic PE information: section name: .vm_sec
                Source: bUHMq54m6Q.exeStatic PE information: section name: .themida
                Source: bUHMq54m6Q.exeStatic PE information: section name: .boot
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name:
                Source: RageMP131.exe.0.drStatic PE information: section name: .vm_sec
                Source: RageMP131.exe.0.drStatic PE information: section name: .themida
                Source: RageMP131.exe.0.drStatic PE information: section name: .boot
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name:
                Source: MPGPH131.exe.0.drStatic PE information: section name: .vm_sec
                Source: MPGPH131.exe.0.drStatic PE information: section name: .themida
                Source: MPGPH131.exe.0.drStatic PE information: section name: .boot
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_008A7399 push 4F494312h; mov dword ptr [esp], ecx
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_008A7399 push eax; mov dword ptr [esp], esi
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_008A7399 push 02A74018h; mov dword ptr [esp], ebx
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_00989680 push ebx; mov dword ptr [esp], esi
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_00989680 push 03F40937h; mov dword ptr [esp], eax
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_00543F59 push ecx; ret
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_01297399 push 4F494312h; mov dword ptr [esp], ecx
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_01297399 push eax; mov dword ptr [esp], esi
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_01297399 push 02A74018h; mov dword ptr [esp], ebx
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F33F59 push ecx; ret
                Source: bUHMq54m6Q.exeStatic PE information: section name: entropy: 7.99965539534534
                Source: bUHMq54m6Q.exeStatic PE information: section name: .boot entropy: 7.954415800190369
                Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.99965539534534
                Source: RageMP131.exe.0.drStatic PE information: section name: .boot entropy: 7.954415800190369
                Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.99965539534534
                Source: MPGPH131.exe.0.drStatic PE information: section name: .boot entropy: 7.954415800190369
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Found stalling execution ending in API Sleep call
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeStalling execution: Execution stalls by calling Sleep
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeStalling execution: Execution stalls by calling Sleep
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeSystem information queried: FirmwareTableInformation
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSystem information queried: FirmwareTableInformation
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSystem information queried: FirmwareTableInformation
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSystem information queried: FirmwareTableInformation
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSystem information queried: FirmwareTableInformation
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4596Thread sleep count: 84 > 30
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005F66F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005A3EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005EFE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_00541F9C FindClose,FindFirstFileExW,GetLastError,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005D5F80 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_00542022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005A3850 FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FE66F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F93EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FDFE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F31F9C FindClose,FindFirstFileExW,GetLastError,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FC5F80 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F32022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F93850 FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005EFE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                Source: Amcache.hve.10.drBinary or memory string: VMware
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: discord.comVMware20,11696487552f
                Source: bUHMq54m6Q.exe, 00000000.00000002.2276746268.000000000127C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&o
                Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: bUHMq54m6Q.exe, 00000000.00000003.2160079403.0000000001315000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ngineer\AppData\Local\NVIDIA Corporation\NVIDIA GeForce Experience\*
                Source: bUHMq54m6Q.exe, 00000000.00000002.2276746268.00000000012BC000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000002.2276746268.000000000127C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2275133356.0000000000D0E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2174199079.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2174199079.0000000001C74000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2325536566.00000000010F0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2325536566.00000000010AC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2429829682.00000000011BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2429829682.0000000001190000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: MPGPH131.exe, 00000006.00000003.2182140475.0000000005EDB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: H4sIAAAAAAAAAN1ca2/juJL9K4t8HTmj9yMX+8Fxko5n8vDETvruvX0RyBJtK5EljSQn7R3Mf99TpJ62JbtngcXFAoOeSKwqFovFqlMk5T/ORnG0CJbjq+zs4uyPb2fXo+m3s4tvZ5PB00CRbdWw5IEyUBRpMrga6Kpm2wN1YH47k0DqL1lB+3dQqLKsaGhUZKl4YRi2BmateFY02zHxbIhn2dY1E60Ds3h2FFs3IcAoGGTLcNAdRBQUIJEVg/ovCXRTUepndOmYat2jrNqqBuWNgaGWfVqqYuH/A7XSSjYMFTLKZ4wZnSoDq3yWLctBu1VqqSoq0Tvls2kackMH2VC0hk6yY6kauAdK1YEOJdCBUz5rjqnXCsiOI9ty3S7bjmWQ0fkccAYVJE2NYXm7oaGpGZZBZqsZFINmRi/NhkE1JoKGaDoNszmOabSeDdNsdoAhqa2JxMTaA32gVAQwqd4QAI0UvWkTXdZhkfoZE6U0TaBamt16Vgy7Kc+2bWdgVDaVbdMg11EGdjlGh/5rjBlWtPTGGGxHNbizVc+K4jRUVDSTT3vVbplmc1ptQzHMhkq26tgGqaRUL+CemIWyQ90yoB9UqAgwD2rDipajW1qjB902uTNXg7QsQ2sxWAq3YukomCXHGWjQSrFLQ1myYjesoGsa962KwFIMp+UakCJDy6odhtAaM2XJMqa+HpVhGlpTBxNKtWbKVFWnXk2yIcO0TXrFkVXy1YpAk83mIA1b0dWmADin2Ry0amE1qdpAr8eo0kxiMuSSRsf0NpQyVNXQyV9LAsQESKgDDWxvI+5plRl0mqyGVphMRWs8q6am0mSrpUR0YjkNNeEv5G7awCnfaJaJwFQPjJtiAJ5SpmbKttIMZpYu80BSdSqT7Rsuq+o8GtZ9WpgqUKjFMBRL1uXGutdkzajoHcuBUZyBXTwqKixgDQxyV54KHBvuiWWsly+og4Ep/POJh2vbgHq2cPEnsU5NpTT0E7eb7hgDW4yBv9DhxgOKJnbxBmnBgRS1lGtbWAgU/kzxaGoyOahRPGoy5RS4kFALDm+SUrolLecKY4quXOi6Zcu6pL3Jy6Vumhe6ptiWJaUsY/k8iJZEIJuy5CmBjUiiXuiqqUPlzySOMjdXXw0ZJOQE0tubykzHhgxVtWxFchxjpSH0oB0Ly5Qc/22OWXDQhwVrS/OFt7Rs1cIzQpwp5c7vqRsFazcP4oit3SB0N3m8CMIQFI7hKBIWmEYBmHo0TEVic19bKhaNwjAR3fJkEMaks+aAVJrLylug2cYF9Y8OAmWpLk1ZJwU0w5GcxYItHRoTsgYWBNMsF2tKJXrbBj/G763c/PcNSwOWvRqvwTqBZTLo9/oZ5KvXlPlByrz8dZOGGcQgucCWvqvNNT5O3VEcyTdt31cd6tZQHZiOzQcZC8E22ETZKkgudAP+oUn2G+KcQQbBErMtKVCZBX1tsjmSu2SuFLZCAqXhI9FKzFE906Z2Be2GpMiub+uyTB2beHZ83XMdHeNHIAN/4LMoDxZbf05vsAqlTzcMWZ5kn2EQvW8S382ZMJYjBW++Y1oatCZgYUqKp9u6TaNSIF2TEDvtQNfQGaUsS7L0JVKfbZGyWA+S5rE3OIx9oWGlORaMqS90h6xgIArp0pvuywtTd7hyCA1zsj5AzYXmAOlYkuN5JpKphnYFwV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZ
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: global block list test formVMware20,11696487552
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: RageMP131.exe, 00000012.00000003.2364897264.00000000011A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: AMC password management pageVMware20,11696487552
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: MPGPH131.exe, 00000007.00000002.2174199079.0000000001C74000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: MPGPH131.exe, 00000006.00000002.2276365511.0000000000D98000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}User Data\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
                Source: Amcache.hve.10.drBinary or memory string: vmci.sys
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: Amcache.hve.10.drBinary or memory string: VMware20,1
                Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: MPGPH131.exe, 00000006.00000002.2276365511.0000000000D98000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ox\Profiles\2o7hffxt.default-release\places.sqlite
                Source: bUHMq54m6Q.exe, 00000000.00000002.2276746268.00000000012BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}d-
                Source: bUHMq54m6Q.exe, 00000000.00000002.2280792333.0000000005C5F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_5C8B5E08taw
                Source: RageMP131.exe, 0000000E.00000003.2273653876.00000000010C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}L
                Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: RageMP131.exe, 00000012.00000002.2429829682.0000000001190000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
                Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
                Source: RageMP131.exe, 00000012.00000002.2429829682.00000000011A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
                Source: bUHMq54m6Q.exe, 00000000.00000002.2276746268.00000000012BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW;
                Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
                Source: bUHMq54m6Q.exe, 00000000.00000002.2276746268.00000000012BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}User Data\WorkspacesNavigationComponent\Network\*(
                Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
                Source: RageMP131.exe, 00000012.00000002.2429829682.00000000011A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: MPGPH131.exe, 00000006.00000003.2188025250.0000000005F0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scsi#disk&ven_vmware~
                Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.10.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
                Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: MPGPH131.exe, 00000006.00000002.2276365511.0000000000D98000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_5C8B5E08
                Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
                Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
                Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: MPGPH131.exe, 00000006.00000003.2130373054.0000000000D21000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}/
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: RageMP131.exe, 0000000E.00000002.2325536566.00000000010F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: Bs1Rik95T3UPWeb Data.6.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeProcess queried: DebugPort
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_00548A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005DF200 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005D6D00 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005A3EC0 mov eax, dword ptr fs:[00000030h]
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FC6D00 mov eax, dword ptr fs:[00000030h]
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F93EC0 mov eax, dword ptr fs:[00000030h]
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005F99F0 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_0054451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_00548A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F3451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F38A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Contains functionality to inject threads in other processes
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005DF200 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FCF200 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: GetLocaleInfoW,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: EnumSystemLocalesW,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: GetLocaleInfoW,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: GetLocaleInfoW,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: GetLocaleInfoW,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: EnumSystemLocalesW,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: EnumSystemLocalesW,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: EnumSystemLocalesW,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeQueries volume information: C:\ VolumeInformation
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformation
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite VolumeInformation
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformation
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005EFE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005EFE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeCode function: 0_2_005EFE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                Source: Amcache.hve.10.drBinary or memory string: MsMpEng.exe

                Stealing of Sensitive Information

                barindex
                Yara detected RisePro Stealer
                Source: Yara matchFile source: 00000000.00000003.2159759925.0000000005C56000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2276746268.000000000122E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2280792333.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2282419782.0000000005A70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2280715188.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: bUHMq54m6Q.exe PID: 6556, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 4896, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 2836, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 3604, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 5700, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\NoSoV6eJxRbhlNXMC2XnYgm.zip, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\eK26yDxmyAbMrjg7CdmfOmj.zip, type: DROPPED
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: bUHMq54m6Q.exe, 00000000.00000002.2280715188.0000000005C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
                Source: bUHMq54m6Q.exe, 00000000.00000002.2276746268.00000000012BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets#
                Source: bUHMq54m6Q.exe, 00000000.00000002.2280715188.0000000005C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx
                Source: bUHMq54m6Q.exe, 00000000.00000002.2280715188.0000000005C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                Source: bUHMq54m6Q.exe, 00000000.00000002.2280715188.0000000005C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
                Source: bUHMq54m6Q.exe, 00000000.00000002.2280715188.0000000005C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                Source: bUHMq54m6Q.exe, 00000000.00000002.2276746268.00000000012BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\app-store.json
                Source: bUHMq54m6Q.exe, 00000000.00000002.2280715188.0000000005C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
                Source: bUHMq54m6Q.exe, 00000000.00000002.2280715188.0000000005C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                Source: bUHMq54m6Q.exe, 00000000.00000002.2280715188.0000000005C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
                Source: bUHMq54m6Q.exe, 00000000.00000003.2158606160.0000000005C71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\formhistory.sqlite
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\signons.sqlite
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\logins.json
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\signons.sqlite
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\places.sqlite
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\Desktop\bUHMq54m6Q.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: Yara matchFile source: Process Memory Space: bUHMq54m6Q.exe PID: 6556, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 4896, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected RisePro Stealer
                Source: Yara matchFile source: 00000000.00000003.2159759925.0000000005C56000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2276746268.000000000122E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2280792333.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2282419782.0000000005A70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2280715188.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: bUHMq54m6Q.exe PID: 6556, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 4896, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 2836, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 3604, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 5700, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\NoSoV6eJxRbhlNXMC2XnYgm.zip, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\eK26yDxmyAbMrjg7CdmfOmj.zip, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		1
                Scheduled Task/Job                		11
                Process Injection                		3
                Obfuscated Files or Information                		LSASS Memory1
                Account Discovery                		Remote Desktop Protocol2
                Data from Local System                		21
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Scheduled Task/Job                		1
                Registry Run Keys / Startup Folder                		1
                Scheduled Task/Job                		2
                Software Packing                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Screen Capture                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                Registry Run Keys / Startup Folder                		1
                DLL Side-Loading                		NTDS35
                System Information Discovery                		Distributed Component Object Model1
                Email Collection                		2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Masquerading                		LSA Secrets1
                Query Registry                		SSHKeylogging13
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts13
                Virtualization/Sandbox Evasion                		Cached Domain Credentials351
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                Process Injection                		DCSync13
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                System Network Configuration Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1437130 Sample: bUHMq54m6Q.exe Startdate: 07/05/2024 Architecture: WINDOWS Score: 100 39 ipinfo.io 2->39 41 db-ip.com 2->41 49 Snort IDS alert for network traffic 2->49 51 Antivirus detection for URL or domain 2->51 53 Yara detected RisePro Stealer 2->53 55 3 other signatures 2->55 8 bUHMq54m6Q.exe 1 63 2->8         started        13 MPGPH131.exe 5 55 2->13         started        15 RageMP131.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 43 147.45.47.126, 49699, 49702, 49703 FREE-NET-ASFREEnetEU Russian Federation 8->43 45 ipinfo.io 34.117.186.192, 443, 49700, 49704 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->45 47 db-ip.com 104.26.4.15, 443, 49701, 49706 CLOUDFLARENETUS United States 8->47 31 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->31 dropped 33 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->33 dropped 35 C:\Users\user\...\eK26yDxmyAbMrjg7CdmfOmj.zip, Zip 8->35 dropped 57 Query firmware table information (likely to detect VMs) 8->57 59 Tries to steal Mail credentials (via file / registry access) 8->59 61 Found many strings related to Crypto-Wallets (likely being stolen) 8->61 73 2 other signatures 8->73 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        23 WerFault.exe 16 8->23         started        37 C:\Users\user\...37oSoV6eJxRbhlNXMC2XnYgm.zip, Zip 13->37 dropped 63 Multi AV Scanner detection for dropped file 13->63 65 Machine Learning detection for dropped file 13->65 67 Found stalling execution ending in API Sleep call 13->67 25 WerFault.exe 13->25         started        69 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->69 71 Tries to harvest and steal browser information (history, passwords, etc) 17->71 file6 signatures7 process8 process9 27 conhost.exe 19->27         started        29 conhost.exe 21->29         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                bUHMq54m6Q.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe100%Joe Sandbox ML
                C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML
                C:\ProgramData\MPGPH131\MPGPH131.exe47%ReversingLabsWin32.Trojan.RiseProStealer
                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe47%ReversingLabsWin32.Trojan.RiseProStealer

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://crl.micro0%URL Reputationsafe
                http://193.233.132.56/cost/go.exe2070%Avira URL Cloudsafe
                http://147.45.47.102:57893/hera/amadka.exe68.00%Avira URL Cloudsafe
                http://147.45.47.102:57893/hera/amadka.exeaO0%Avira URL Cloudsafe
                http://193.233.132.56/cost/go.exeWOUl-0%Avira URL Cloudsafe
                http://193.233.132.56/cost/go.exeServer0%Avira URL Cloudsafe
                http://147.45.47.102:57893/hera/amadka.exe)=0%Avira URL Cloudsafe
                http://193.230%Avira URL Cloudsafe
                http://147.45.47.102:57893/hera/amadka.exe100%Avira URL Cloudmalware
                http://193.233.132.56/cost/go.exeTerracoin=0%Avira URL Cloudsafe
                http://193.233.132.56/cost/go.exe0%Avira URL Cloudsafe
                http://193.233.132.56/cost/lenin.exe0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ipinfo.io
                		34.117.186.192
                		truefalse
                  		high
                  db-ip.com
                  		104.26.4.15
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://db-ip.com/demo/home.php?s=156.146.37.102false
                      		high
                      https://ipinfo.io/widget/demo/156.146.37.102false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://duckduckgo.com/chrome_newtabbUHMq54m6Q.exe, 00000000.00000003.2150265902.0000000005C6F000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2152690333.0000000005C93000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2151263071.0000000005C92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181530040.0000000005EFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2179554394.0000000005EFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2180030463.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, RVFvq_w1ZQYbWeb Data.0.dr, 9V16nhm0bFZXWeb Data.0.dr, LmI4gt7uNt6lWeb Data.0.dr, uH4Klb1syK8iWeb Data.6.dr, KsIfLLPbfavZWeb Data.6.dr, e0WJiscSE76mWeb Data.6.drfalse
                          		high
                          https://duckduckgo.com/ac/?q=bUHMq54m6Q.exe, 00000000.00000003.2150265902.0000000005C6F000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2152690333.0000000005C93000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2151263071.0000000005C92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181530040.0000000005EFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2179554394.0000000005EFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2180030463.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, RVFvq_w1ZQYbWeb Data.0.dr, 9V16nhm0bFZXWeb Data.0.dr, LmI4gt7uNt6lWeb Data.0.dr, uH4Klb1syK8iWeb Data.6.dr, KsIfLLPbfavZWeb Data.6.dr, e0WJiscSE76mWeb Data.6.drfalse
                            		high
                            http://193.233.132.56/cost/go.exe207bUHMq54m6Q.exe, 00000000.00000002.2276746268.00000000012BC000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://db-ip.com/demo/home.php?s=156.146.37.102DRageMP131.exe, 0000000E.00000002.2325536566.00000000010F0000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://ipinfo.io/widget/demo/156.146.37.102pMPGPH131.exe, 00000006.00000002.2275133356.0000000000D1B000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://147.45.47.102:57893/hera/amadka.exebUHMq54m6Q.exe, 00000000.00000002.2276746268.00000000012BC000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2158606160.0000000005C71000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2159759925.0000000005C73000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2158405940.0000000005C71000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000002.2280792333.0000000005C73000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2158512133.0000000005C71000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2174199079.0000000001CA7000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://db-ip.com/RageMP131.exe, 0000000E.00000002.2325536566.00000000010F0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2429829682.00000000011BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://t.me/RiseProSUPPORTBB~bUHMq54m6Q.exe, 00000000.00000003.2159759925.0000000005C56000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000002.2280792333.0000000005C5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://t.me/RiseProSUPPORTfbUHMq54m6Q.exe, 00000000.00000002.2276746268.000000000122E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://147.45.47.102:57893/hera/amadka.exe68.0MPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=bUHMq54m6Q.exe, 00000000.00000003.2150265902.0000000005C6F000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2152690333.0000000005C93000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2151263071.0000000005C92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181530040.0000000005EFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2179554394.0000000005EFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2180030463.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, RVFvq_w1ZQYbWeb Data.0.dr, 9V16nhm0bFZXWeb Data.0.dr, LmI4gt7uNt6lWeb Data.0.dr, uH4Klb1syK8iWeb Data.6.dr, KsIfLLPbfavZWeb Data.6.dr, e0WJiscSE76mWeb Data.6.drfalse
                                        		high
                                        https://t.me/risepro_bot7.102RageMP131.exe, 0000000E.00000002.2325536566.00000000010F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://t.me/RiseProSUPPORTq3iMPGPH131.exe, 00000006.00000002.2275133356.0000000000CBE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://t.me/risepro_botr5RageMP131.exe, 00000012.00000002.2429829682.00000000011BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://ipinfo.io/widget/demo/156.146.37.102dRageMP131.exe, 0000000E.00000002.2325536566.00000000010AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://ipinfo.io/xMPGPH131.exe, 00000007.00000002.2174199079.0000000001C27000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://193.233.132.56/cost/go.exebUHMq54m6Q.exe, 00000000.00000002.2276746268.00000000012BC000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2158606160.0000000005C71000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2159759925.0000000005C73000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000002.2280792333.0000000005C73000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2158512133.0000000005C71000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2174199079.0000000001CA7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://db-ip.com/demo/home.php?s=156.146.37.102_iRageMP131.exe, 00000012.00000002.2429829682.00000000011BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ipinfo.io/e7bUHMq54m6Q.exe, 00000000.00000002.2276746268.000000000129C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://ipinfo.io/oRageMP131.exe, 0000000E.00000002.2325536566.00000000010C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://t.me/RiseProSUPPORTPbUHMq54m6Q.exe, 00000000.00000002.2280715188.0000000005C30000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchbUHMq54m6Q.exe, 00000000.00000003.2150265902.0000000005C6F000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2152690333.0000000005C93000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2151263071.0000000005C92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181530040.0000000005EFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2179554394.0000000005EFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2180030463.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, RVFvq_w1ZQYbWeb Data.0.dr, 9V16nhm0bFZXWeb Data.0.dr, LmI4gt7uNt6lWeb Data.0.dr, uH4Klb1syK8iWeb Data.6.dr, KsIfLLPbfavZWeb Data.6.dr, e0WJiscSE76mWeb Data.6.drfalse
                                                            		high
                                                            https://ipinfo.io/tMPGPH131.exe, 00000007.00000002.2174199079.0000000001C5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://t.me/RiseProSUPPORTPROCESSOR_LEVEL=6PROCESRageMP131.exe, 0000000E.00000002.2325536566.000000000105E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://t.me/risepro_botisepro_bot_AjMPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://t.me/risepro_botriseproRageMP131.exe, 0000000E.00000002.2325536566.00000000010F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://193.233.132.56/cost/go.exeTerracoin=bUHMq54m6Q.exe, 00000000.00000003.2158606160.0000000005C71000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2159759925.0000000005C73000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000002.2280792333.0000000005C73000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2158512133.0000000005C71000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://db-ip.com/demo/home.php?s=156.146.37.102LSMPGPH131.exe, 00000007.00000002.2174199079.0000000001CA7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icobUHMq54m6Q.exe, 00000000.00000003.2150265902.0000000005C6F000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2152690333.0000000005C93000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2151263071.0000000005C92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181530040.0000000005EFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2179554394.0000000005EFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2180030463.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, RVFvq_w1ZQYbWeb Data.0.dr, 9V16nhm0bFZXWeb Data.0.dr, LmI4gt7uNt6lWeb Data.0.dr, uH4Klb1syK8iWeb Data.6.dr, KsIfLLPbfavZWeb Data.6.dr, e0WJiscSE76mWeb Data.6.drfalse
                                                                        		high
                                                                        https://ipinfo.io/widget/demo/156.146.37.102=MPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://t.me/RiseProSUPPORT2RageMP131.exe, 00000012.00000002.2429829682.0000000001147000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://t.me/risepro_botPrimMPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://t.me/risepro_botrisepRageMP131.exe, 00000012.00000002.2429829682.00000000011BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://t.me/RiseProSUPPORT=LMPGPH131.exe, 00000006.00000002.2282419782.0000000005A70000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dllbUHMq54m6Q.exe, 00000000.00000002.2272966412.000000000066D000.00000002.00000001.01000000.00000003.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2086040857.0000000001180000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2114405302.0000000000C50000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2277258884.000000000105D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2168458625.000000000105D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2114630366.0000000001A50000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2324438250.00000000004BD000.00000002.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000E.00000003.2255008440.0000000002A30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2427181585.00000000004BD000.00000002.00000001.01000000.00000008.sdmp, RageMP131.exe, 00000012.00000003.2337606735.0000000002BE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=bUHMq54m6Q.exe, 00000000.00000003.2150265902.0000000005C6F000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2152690333.0000000005C93000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2151263071.0000000005C92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181530040.0000000005EFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2179554394.0000000005EFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2180030463.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, RVFvq_w1ZQYbWeb Data.0.dr, 9V16nhm0bFZXWeb Data.0.dr, LmI4gt7uNt6lWeb Data.0.dr, uH4Klb1syK8iWeb Data.6.dr, KsIfLLPbfavZWeb Data.6.dr, e0WJiscSE76mWeb Data.6.drfalse
                                                                                      		high
                                                                                      http://upx.sf.netAmcache.hve.10.drfalse
                                                                                        		high
                                                                                        https://t.me/RiseProSUPPORTbUHMq54m6Q.exe, 00000000.00000003.2159759925.0000000005C56000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000002.2276746268.000000000122E000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000002.2280792333.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000002.2280715188.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2275133356.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2282419782.0000000005A70000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2174199079.0000000001C27000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2325536566.000000000105E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2429829682.0000000001147000.00000004.00000020.00020000.00000000.sdmp, NoSoV6eJxRbhlNXMC2XnYgm.zip.6.dr, eK26yDxmyAbMrjg7CdmfOmj.zip.0.drfalse
                                                                                          		high
                                                                                          https://www.ecosia.org/newtab/bUHMq54m6Q.exe, 00000000.00000003.2150265902.0000000005C6F000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2152690333.0000000005C93000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2151263071.0000000005C92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181530040.0000000005EFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2179554394.0000000005EFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2180030463.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, RVFvq_w1ZQYbWeb Data.0.dr, 9V16nhm0bFZXWeb Data.0.dr, LmI4gt7uNt6lWeb Data.0.dr, uH4Klb1syK8iWeb Data.6.dr, KsIfLLPbfavZWeb Data.6.dr, e0WJiscSE76mWeb Data.6.drfalse
                                                                                            		high
                                                                                            https://ipinfo.io/Mozilla/5.0bUHMq54m6Q.exe, 00000000.00000002.2276746268.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2174199079.0000000001C9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2325536566.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2429829682.00000000011BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://ipinfo.io:443/widget/demo/156.146.37.102bUHMq54m6Q.exe, 00000000.00000002.2276746268.00000000012A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2174199079.0000000001C9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2325536566.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2429829682.00000000011BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brD87fZN3R3jFeplaces.sqlite.7.drfalse
                                                                                                  		high
                                                                                                  http://193.233.132.56/cost/go.exeServerMPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://147.45.47.102:57893/hera/amadka.exe)=bUHMq54m6Q.exe, 00000000.00000003.2158606160.0000000005C71000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2159759925.0000000005C73000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2158405940.0000000005C71000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000002.2280792333.0000000005C73000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2158512133.0000000005C71000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://db-ip.com:443/demo/home.php?s=156.146.37.102AbUHMq54m6Q.exe, 00000000.00000002.2276746268.00000000012BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://193.233.132.56/cost/go.exeWOUl-MPGPH131.exe, 00000007.00000002.2174199079.0000000001CA7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://ac.ecosia.org/autocomplete?q=bUHMq54m6Q.exe, 00000000.00000003.2150265902.0000000005C6F000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2152690333.0000000005C93000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2151263071.0000000005C92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181530040.0000000005EFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2179554394.0000000005EFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2180030463.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, RVFvq_w1ZQYbWeb Data.0.dr, 9V16nhm0bFZXWeb Data.0.dr, LmI4gt7uNt6lWeb Data.0.dr, uH4Klb1syK8iWeb Data.6.dr, KsIfLLPbfavZWeb Data.6.dr, e0WJiscSE76mWeb Data.6.drfalse
                                                                                                      		high
                                                                                                      https://t.me/risepro_botRageMP131.exe, 00000012.00000002.2429829682.00000000011BC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2429829682.000000000121F000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr, passwords.txt.6.drfalse
                                                                                                        		high
                                                                                                        http://147.45.47.102:57893/hera/amadka.exeaOMPGPH131.exe, 00000007.00000002.2174199079.0000000001CA7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://193.23MPGPH131.exe, 00000007.00000002.2174199079.0000000001CA7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		low
                                                                                                        http://crl.microMPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        https://ipinfo.io/RageMP131.exe, 00000012.00000002.2429829682.0000000001180000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2429829682.0000000001172000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYtD87fZN3R3jFeplaces.sqlite.7.drfalse
                                                                                                            		high
                                                                                                            https://www.maxmind.com/en/locate-my-ip-addressbUHMq54m6Q.exe, MPGPH131.exefalse
                                                                                                              		high
                                                                                                              https://t.me/risepro_botzbUHMq54m6Q.exe, 00000000.00000002.2276746268.00000000012BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://193.233.132.56/cost/lenin.exeMPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2174199079.0000000001CA7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.winimage.com/zLibDllbUHMq54m6Q.exe, 00000000.00000002.2272966412.000000000066D000.00000002.00000001.01000000.00000003.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2086040857.0000000001180000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2114405302.0000000000C50000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2277258884.000000000105D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2168458625.000000000105D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2114630366.0000000001A50000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2324438250.00000000004BD000.00000002.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000E.00000003.2255008440.0000000002A30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2427181585.00000000004BD000.00000002.00000001.01000000.00000008.sdmp, RageMP131.exe, 00000012.00000003.2337606735.0000000002BE0000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://support.mozilla.orgD87fZN3R3jFeplaces.sqlite.7.drfalse
                                                                                                                    		high
                                                                                                                    https://t.me/risepro_botrisepro;OMPGPH131.exe, 00000007.00000002.2174199079.0000000001CA7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://db-ip.com:443/demo/home.php?s=156.146.37.102MPGPH131.exe, 00000006.00000002.2275133356.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2174199079.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.2325536566.00000000010F0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2429829682.00000000011BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://ipinfo.io/$EMPGPH131.exe, 00000006.00000002.2275133356.0000000000CF1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=bUHMq54m6Q.exe, 00000000.00000003.2150265902.0000000005C6F000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2152690333.0000000005C93000.00000004.00000020.00020000.00000000.sdmp, bUHMq54m6Q.exe, 00000000.00000003.2151263071.0000000005C92000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2181530040.0000000005EFD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2179554394.0000000005EFB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2180030463.0000000005F00000.00000004.00000020.00020000.00000000.sdmp, RVFvq_w1ZQYbWeb Data.0.dr, 9V16nhm0bFZXWeb Data.0.dr, LmI4gt7uNt6lWeb Data.0.dr, uH4Klb1syK8iWeb Data.6.dr, KsIfLLPbfavZWeb Data.6.dr, e0WJiscSE76mWeb Data.6.drfalse
                                                                                                                            		high

                                                                                                                            World Map of Contacted IPs

                                                                                                                            • No. of IPs < 25%
                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                            • 75% < No. of IPs

                                                                                                                            Public IPs

                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                            34.117.186.192
                                                                                                                            		ipinfo.ioUnited States
                                                                                                                            		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                                                                                            147.45.47.126
                                                                                                                            		unknownRussian Federation
                                                                                                                            		2895FREE-NET-ASFREEnetEUtrue
                                                                                                                            104.26.4.15
                                                                                                                            		db-ip.comUnited States
                                                                                                                            		13335CLOUDFLARENETUSfalse

                                                                                                                            General Information

                                                                                                                            Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                            Analysis ID:1437130
                                                                                                                            Start date and time:2024-05-07 01:31:24 +02:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:0h 9m 12s
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:light
                                                                                                                            Cookbook file name:default.jbs
                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                            Number of analysed new started processes analysed:20
                                                                                                                            Number of new started drivers analysed:0
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:0
                                                                                                                            Technologies:
                                                                                                                            • HCA enabled
                                                                                                                            • EGA enabled
                                                                                                                            • AMSI enabled
                                                                                                                            Analysis Mode:default
                                                                                                                            Analysis stop reason:Timeout
                                                                                                                            Sample name:bUHMq54m6Q.exe
                                                                                                                            renamed because original name is a hash value
                                                                                                                            Original Sample Name:2cf4b5cf327757376e717ab5554b921b.exe
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@13/58@3/3
                                                                                                                            EGA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            HCA Information:
                                                                                                                            • Successful, ratio: 67%
                                                                                                                            • Number of executed functions: 0
                                                                                                                            • Number of non-executed functions: 0
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                            Warnings

                                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                            • TCP Packets have been reduced to 100
                                                                                                                            • Excluded IPs from analysis (whitelisted): 20.42.73.29
                                                                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                            • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                            • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                            • VT rate limit hit for: bUHMq54m6Q.exe

                                                                                                                            Simulations

                                                                                                                            Behavior and APIs

                                                                                                                            TimeTypeDescription
                                                                                                                            01:32:12Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            01:32:13Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            01:32:15AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            01:32:27AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            01:32:28API Interceptor2x Sleep call for process: WerFault.exe modified

                                                                                                                            Joe Sandbox View / Context

                                                                                                                            IPs

                                                                                                                            No context

                                                                                                                            Domains

                                                                                                                            No context

                                                                                                                            ASNs

                                                                                                                            No context

                                                                                                                            JA3 Fingerprints

                                                                                                                            No context

                                                                                                                            Dropped Files

                                                                                                                            No context

                                                                                                                            Created / dropped Files

                                                                                                                            C:\ProgramData\MPGPH131\MPGPH131.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):2298896
                                                                                                                            Entropy (8bit):7.943949707127546
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:49152:JZZ2yJFMXgNp/R21ABbgdThoxEN2lcHmNNQfwo:JZZF7N1ROABbgdThog24fwo
                                                                                                                            MD5:2CF4B5CF327757376E717AB5554B921B
                                                                                                                            SHA1:020751E48F382DBD25341228E0ACF66818428B12
                                                                                                                            SHA-256:A275C369EF53EBA4655CA43244E230FD7B38E45DBF25FC0B614918A58B3D07A6
                                                                                                                            SHA-512:CECCBEAF87660EA08D9BDC5804546C16A2ABEA4F73C8F80345E711CF5C4A8AB9330CA64022B890457187BDE83DE2687177CB50C1A4FC1BF9D49054510E2418FA
                                                                                                                            Malicious:true
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                            • Antivirus: ReversingLabs, Detection: 47%
                                                                                                                            Reputation:low
                                                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....96f...............'............X`P...........@...........................h......#...@..................................Q.......p........................h..............................`...............................6..@................... ........................... ..` 2~..........................@..@ 0I...P......................@... .........r..................@..@ X....p...L...D..............@..B.vm_sec..@.......@..................@....idata.......P......................@....tls.........`...........................rsrc........p......................@..@.themida. 5..@......................`....boot....t...`P..t..................`..`.reloc........h.......#.

                                                                                                                            C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):26
                                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                            Malicious:false
                                                                                                                            Reputation:high, very likely benign file
                                                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_5ae7e4c267f7e8254d33e44a3aef75514fc3925e_0010bad0_310ee076-0e1e-4dc2-a821-22b2cb294147\Report.wer

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):65536
                                                                                                                            Entropy (8bit):1.0528304363184986
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:QKlcZzR8D107ETl6E6jjyZrofxjPzuiFGZ24IO826t:t2ReW7ET4jLPzuiFGY4IO8p
                                                                                                                            MD5:55FFA6AEB68627E18595895A40485121
                                                                                                                            SHA1:AE5696883F3C06E49D31DAB177D1223C6B39CFC4
                                                                                                                            SHA-256:859047D27DE298B2397FF427B2C29AF186EA31070DE9401F1C329CD172538B29
                                                                                                                            SHA-512:2E80144AC3251CA2BB9172822638597460BF76D3AFD7EE184AFFC904EA3B6E3109113FB3A23DA9A9EB9575F6D1D3BA455A4FF6004464D654BE28A285BDFB11D8
                                                                                                                            Malicious:false
                                                                                                                            Reputation:low
                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.5.1.1.9.4.4.6.4.0.4.1.8.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.5.1.1.9.4.7.3.7.4.7.9.2.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.0.e.e.0.7.6.-.0.e.1.e.-.4.d.c.2.-.a.8.2.1.-.2.2.b.2.c.b.2.9.4.1.4.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.5.d.0.5.d.5.-.3.0.6.1.-.4.1.2.9.-.b.2.8.3.-.c.d.1.2.b.c.0.3.2.a.6.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.r.o.s.s.D.e.v.i.c.e.S.e.t.t.i.n.g.s.H.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.2.0.-.0.0.0.1.-.0.0.1.5.-.1.c.2.f.-.5.e.9.f.0.d.a.0.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.6.7.a.b.c.f.8.d.6.c.2.5.2.9.7.e.d.9.7.2.3.e.f.1.6.c.3.8.f.3.6.0.0.0.0.0.9.1.0.!.0.0.0.0.0.2.0.7.5.1.e.4.8.f.3.8.2.d.b.d.2.5.3.4.1.2.

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_bUHMq54m6Q.exe_7f5678ff3d44ce164b9187a831663245298324_7fe652d7_b9d6888b-1509-4a56-aeb6-1b74ada72881\Report.wer

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):65536
                                                                                                                            Entropy (8bit):1.0564993166343377
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:kz2FyGpe0AYvcjyZrosLZuzuiFGZ24IO8w:DFyGpFAYvcjyuzuiFGY4IO8w
                                                                                                                            MD5:2496724ADC3F946A9EC4B66BA7F8E3AF
                                                                                                                            SHA1:413DB74471545DB74251D665B0E2655A98368916
                                                                                                                            SHA-256:1E7358379E3E413E7E0B108224F599DA60E1D0ED170F5589194853F8B52601B7
                                                                                                                            SHA-512:24698623A0845B1E59CC4229900A1CABDE1FB8536D0D869AC4F2B36BB2129D2C945B4792966B41CFFEB6854C34193AA13EEEA0EEB9E4E0900225A9D41B80EC3F
                                                                                                                            Malicious:false
                                                                                                                            Reputation:low
                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.5.1.1.9.4.1.3.6.0.7.6.5.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.5.1.1.9.4.2.2.2.0.1.4.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.9.d.6.8.8.8.b.-.1.5.0.9.-.4.a.5.6.-.a.e.b.6.-.1.b.7.4.a.d.a.7.2.8.8.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.5.f.d.3.c.5.f.-.9.2.a.3.-.4.a.c.1.-.9.2.8.f.-.3.f.d.9.c.e.1.f.1.b.7.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b.U.H.M.q.5.4.m.6.Q...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.r.o.s.s.D.e.v.i.c.e.S.e.t.t.i.n.g.s.H.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.9.c.-.0.0.0.1.-.0.0.1.5.-.9.5.8.0.-.b.d.9.d.0.d.a.0.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.6.7.a.b.c.f.8.d.6.c.2.5.2.9.7.e.d.9.7.2.3.e.f.1.6.c.3.8.f.3.6.0.0.0.0.0.9.1.0.!.0.0.0.0.0.2.0.7.5.1.e.4.8.f.3.8.2.d.b.d.2.5.3.4.

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FC2.tmp.dmp

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Mon May 6 23:32:21 2024, 0x1205a4 type
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):121480
                                                                                                                            Entropy (8bit):1.855363340823153
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:384:DD+AADAd0Ftvk7wkhOv0YASdEGG3qAJzlZI0BaQfK+rF9z2:DD+he0FtvcU0YASrobaE9z
                                                                                                                            MD5:D265223288CCD39728494EDACC4D45CD
                                                                                                                            SHA1:4EC0FD691CD4E11EAD031D358DCFBF6A5C1E79E1
                                                                                                                            SHA-256:3A1EE8B072CC72BC32AEDC6A301DC67B033B20CB4F6E4606AF43E0611AA6027A
                                                                                                                            SHA-512:19C823276AD1500C61CE121857EC766FED99485B43E0491417FAEDFEE9A8630BEEEDAF7C4AB0B3F2000ABAF116B28B34B5C0C1D724A8E9A339B268B7A071117F
                                                                                                                            Malicious:false
                                                                                                                            Reputation:low
                                                                                                                            Preview:MDMP..a..... ........h9f............................(.......l....#...........O..........`.......8...........T...........HJ..@...........,$...........&..............................................................................eJ.......&......GenuineIntel............T...........zh9f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER3215.tmp.WERInternalMetadata.xml

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):8396
                                                                                                                            Entropy (8bit):3.708401782548626
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:R6l7wVeJBM6GKrP56Y2DDSU/yAgmfsJlyprw89btOsfKEPm:R6lXJ66PP56YeSUqAgmfsJlKtNfK
                                                                                                                            MD5:BFF72A7437A4CFE9B3A33B115D4942B4
                                                                                                                            SHA1:8296D052352D269EADE7E733B3B1C6BE03531913
                                                                                                                            SHA-256:AE160FD624E0970377AF57CA774FAFDFCBF04F5819A2538C99F29860D75D9418
                                                                                                                            SHA-512:4A2CEDDC0AAEB1DEEE590F581DD15059DDC4CCDA200452DD43A4B87F3312B30FC318DB4ACF2614B0C086B50272B47CF640A544BBA6678163593815AE84D8D967
                                                                                                                            Malicious:false
                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.5.6.<./.P.i.

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER3245.tmp.xml

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):4728
                                                                                                                            Entropy (8bit):4.5356433746061215
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:cvIwWl8zshQJg77aI9rCBWpW8VYAYm8M4JkNFN9z+q8Yf5+EQyffd:uIjfsI74Q7VgJqzRPQynd
                                                                                                                            MD5:D52E3C37BBCBDD516F70697AC8B54A96
                                                                                                                            SHA1:975DE1864954B059C8D6F50837E9526627C2FCB3
                                                                                                                            SHA-256:28435826EB843D3C8F5F29C60181A36224782383BCF8B26141C324E232324EC2
                                                                                                                            SHA-512:5D1673CA7EE38D7C0EEC780AD44D501F8E467C611ED38B8AA202ECEC840F74607DC02E2EB70CE07E8C01FEFC058CD92208AC0B2961CE00C2F21C7166BEF8E07A
                                                                                                                            Malicious:false
                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="311915" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C94.tmp.dmp

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:Mini DuMP crash report, 15 streams, Mon May 6 23:32:25 2024, 0x1205a4 type
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):110138
                                                                                                                            Entropy (8bit):1.9059204889344317
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:384:1Y+sf5xZhwFtvF6VIpZdoVq3VorSJgX16lUHtFB9F1FqEOUw8xNvtz+7kpU:1Y+sB/+FtvF6kZde1jz+e
                                                                                                                            MD5:3A3C0CE18EF40D4E92E7C7EF400F0EE8
                                                                                                                            SHA1:A7B1ADF42CA16E93E32D0164D91D91F749CF5634
                                                                                                                            SHA-256:063504D6E121A76A6CA07CBDDC067EFB18EA8840028299F85A2D8E2592FE28E6
                                                                                                                            SHA-512:6F7D883A74620053431694C42B4A5CB83340FA69760F374D1DFB84F8C4650E455AB3034574CCC12EE34BFF9925CEC612C0289E9FB0E48B9250BFA2811C9E3B00
                                                                                                                            Malicious:false
                                                                                                                            Preview:MDMP..a..... ........h9f....................................l...`#...........I..........`.......8...........T............I...d...........#...........%..............................................................................eJ......P&......GenuineIntel............T....... ...|h9f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER461A.tmp.WERInternalMetadata.xml

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):6362
                                                                                                                            Entropy (8bit):3.7263411812944227
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:R6l7wVeJKuD6nYi5JlDRprq89bAnsfkAm:R6lXJH6nYSJlzAsfy
                                                                                                                            MD5:6A14978891945B9E38AC53D5780B96EE
                                                                                                                            SHA1:2DCDB9B3AE42ACAC20BA24F2708601D1234962AE
                                                                                                                            SHA-256:61BF7B38559DD5F584E31F7344B0BA23A363C59A6280FB571C73A1C2013E2A1E
                                                                                                                            SHA-512:C9A8545A9119AF1C63531F023D104ADF3098A75DDC4637295468C66C457A5C02EF0A4583F83BC06DF79BC84E3B0E507AF0546D76017F268708CE7FD03167AB27
                                                                                                                            Malicious:false
                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.8.9.6.<./.P.i.

                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER463A.tmp.xml

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):4718
                                                                                                                            Entropy (8bit):4.523696716084494
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:cvIwWl8zshQJg77aI9rCBWpW8VYmYm8M4JkteF6I+q80v0S5+71lwfd:uIjfsI74Q7VyJ/VA1l+d
                                                                                                                            MD5:5CFBE0ADA8596312330D36347D38BFC8
                                                                                                                            SHA1:F5C3AEED32ADDD63E4FA0B1A87E8C00AC2EC7BE3
                                                                                                                            SHA-256:164763BF3B7E5CACB0CB189AB3E7D8235E6B0CD97DE6985C03953D21127826D7
                                                                                                                            SHA-512:0B666C4E159C55B786FC002D513756A672049EE3810FFF8ECC1B47244C0F3AF9CC68A42B05ED76ADBDF6A276599E0A4F1AC98A1676DF647DB79FEAB20B9B4B4C
                                                                                                                            Malicious:false
                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="311915" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):2298896
                                                                                                                            Entropy (8bit):7.943949707127546
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:49152:JZZ2yJFMXgNp/R21ABbgdThoxEN2lcHmNNQfwo:JZZF7N1ROABbgdThog24fwo
                                                                                                                            MD5:2CF4B5CF327757376E717AB5554B921B
                                                                                                                            SHA1:020751E48F382DBD25341228E0ACF66818428B12
                                                                                                                            SHA-256:A275C369EF53EBA4655CA43244E230FD7B38E45DBF25FC0B614918A58B3D07A6
                                                                                                                            SHA-512:CECCBEAF87660EA08D9BDC5804546C16A2ABEA4F73C8F80345E711CF5C4A8AB9330CA64022B890457187BDE83DE2687177CB50C1A4FC1BF9D49054510E2418FA
                                                                                                                            Malicious:true
                                                                                                                            Antivirus:
                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                            • Antivirus: ReversingLabs, Detection: 47%
                                                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....96f...............'............X`P...........@...........................h......#...@..................................Q.......p........................h..............................`...............................6..@................... ........................... ..` 2~..........................@..@ 0I...P......................@... .........r..................@..@ X....p...L...D..............@..B.vm_sec..@.......@..................@....idata.......P......................@....tls.........`...........................rsrc........p......................@..@.themida. 5..@......................`....boot....t...`P..t..................`..`.reloc........h.......#.

                                                                                                                            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):26
                                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                            Malicious:false
                                                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                            C:\Users\user\AppData\Local\Temp\NoSoV6eJxRbhlNXMC2XnYgm.zip

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):2860
                                                                                                                            Entropy (8bit):7.739784447128016
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:9raVXZV//QWGPvcpJVfMR7kl8QbBHy3Rrl735OS1hcj8xNnDyBZVYun3KJ67k0Oj:yZV//Q1vcGQdHA30MNIzYu3KJZ
                                                                                                                            MD5:CC7DEAFED3A6A0D17C8B8648F48BBB28
                                                                                                                            SHA1:F132D9ADBFC2BD3D5605BCC2E9E5C1B06CA0A800
                                                                                                                            SHA-256:6E29C3B738F43B9F11E9ACA40DA25E96C0FB91C23C6370AE0E3BBE9EF5E8D28F
                                                                                                                            SHA-512:B930BD3E8E8B96ECAF0A1C30617CDFE0DB25918E1586286FC672A975723ED5B7D42FACD7DBD5F4F8C29B51E1C5DF760E126816BEB41EC661844A9BF56E1CD209
                                                                                                                            Malicious:true
                                                                                                                            Yara Hits:
                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\NoSoV6eJxRbhlNXMC2XnYgm.zip, Author: Joe Security
                                                                                                                            Preview:PK...........X................Cookies\..PK...........XA.`%............Cookies\Chrome_Default.txt....@.........i.&h.Cn..L...\.FA@.~..v7..O...%!es.f..../S..a...@.,ek.%.H......</<2..,...I..w......1q.f.F+PiM.=h.5..2....0....O..u_.~}Z.UM........y...Rj..4H..D...xLY@....[.d.c&......G_............j%q%....Y.|.....P...u..u..85/..Z`...-..c...^A8n...Y.3......j.G!....c.....AM@!._W.yQbs.@.....h.y.-......|J..i...r....c....M...E...GS...C....X..C.U..v.%......C,.L0,......5.=....6.....PK...........Xj.d.....k.......information.txt.Y.R.H.}w..."..b..K.....q7...m..Y*.M.W.......J6..M+. B.Je...*..4K.$.V.b8.j.*-.1.......Qm..fc.4z&.'....sJ8.r0..47...$4L..G.....9...d>R.26..yB.pp:kt.....B.fq4b.Q..`.Pm...C-.7...Z.T...P.?..|.X.>Mh8.+..9op^F..L...e.,.......gL....l.pp[..........|.4Ly..^.G/.8..o.j}_...y.N...<....c....'|.Q@.<S....I>.'...$....o...hS..4..1...4O..jLv..Q....V.?..I.ZojS..... B. .w._.>.^}.].J.~....9K.u..2U.mZD..t.(...E./7..>:.........e.....,....,Ok..Oi.L..!..Km 2r.6.

                                                                                                                            C:\Users\user\AppData\Local\Temp\eK26yDxmyAbMrjg7CdmfOmj.zip

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                            Category:modified
                                                                                                                            Size (bytes):2860
                                                                                                                            Entropy (8bit):7.720862667626285
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:9BarXZV//QWGPvcUVwNupS38FlwH5uuErj7qL8V2jm49zieHkzuXYzS3M/dRn3K6:6ZV//Q1vcUOIpSRTUZA99HFIzVT3KJ4
                                                                                                                            MD5:7BAAF6EFC43F0561B018A102B243D445
                                                                                                                            SHA1:F4061F8E1B37F9954E0A59E17592485CABD22721
                                                                                                                            SHA-256:F1C1160A830CE3BDB771D6707C576A3773E82D56E7A13453C3F40776D04E68B7
                                                                                                                            SHA-512:8DBE7AA30E74E36DD64C1493DA4DA71FCE6D44CA3C378E2587326E734929654F6D906D7BA74994C37C09CAB7287B2868C70790B8A5BCDCB64E0022656A5805E0
                                                                                                                            Malicious:true
                                                                                                                            Yara Hits:
                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\eK26yDxmyAbMrjg7CdmfOmj.zip, Author: Joe Security
                                                                                                                            Preview:PK...........X................Cookies\..PK...........XA.`%............Cookies\Chrome_Default.txt....@.........i.&h.Cn..L...\.FA@.~..v7..O...%!es.f..../S..a...@.,ek.%.H......</<2..,...I..w......1q.f.F+PiM.=h.5..2....0....O..u_.~}Z.UM........y...Rj..4H..D...xLY@....[.d.c&......G_............j%q%....Y.|.....P...u..u..85/..Z`...-..c...^A8n...Y.3......j.G!....c.....AM@!._W.yQbs.@.....h.y.-......|J..i...r....c....M...E...GS...C....X..C.U..v.%......C,.L0,......5.=....6.....PK...........X................information.txt.Y.S.F.........Lk.%....@...qh.}...Q#.\I..N...Nv.9%.a....v....O7i..Q.Ws..}TE..|.....~.mT.!..(4.....&CF..G.S..G.C....C.*..\........q2.......<...{?.y....}..@.8.... .I0..Tra.C.....o.d.}AU..Dl.X,..'8.....8'Q.0D....4..|i`....*?Wz}?.....|%...V.{.....E......_.8..o.j}_...9[N.../.g..Z..d......c.G.AR...g.....Qk...s...b..N6.^.YV.....I.D?.C....F.B......{#.Zo*U._.....1....~..|..a61,5........\g&b...ADh...%.9....&Z...y.w...:*./'..Y........R..L.e.W...7..Gd.&.a.o

                                                                                                                            C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):13
                                                                                                                            Entropy (8bit):2.6612262562697895
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:LsXUW:wUW
                                                                                                                            MD5:D0A75EBFF72FA9B67AA2874A9CEF49CB
                                                                                                                            SHA1:1321F58A68CAAF00627A03FA4E1D2C274B115757
                                                                                                                            SHA-256:1D30EA87A95BC86360BD27D6F5399E126E4B2B135AC5BF437AD2FD213CE807B9
                                                                                                                            SHA-512:95E55D568E8C4561468BDEEBFA6295701D009796FF0BDF5F949A09499540E3788D3FF697FF256760A069FD7FD4FC5B8E7690CA5921BAB76DD52D8B2E002DA394
                                                                                                                            Malicious:false
                                                                                                                            Preview:1715044508013

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanlgSFE9XfRUKm\02zdBXl47cvzcookies.sqlite

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):98304
                                                                                                                            Entropy (8bit):0.08235737944063153
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                            MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                            SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                            SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                            SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanlgSFE9XfRUKm\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):5242880
                                                                                                                            Entropy (8bit):0.0357803477377646
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:58rJQaXoMXp0VW9FxWwJU0VnQphI1mJ/8GJK:58r54w0VW3xWB0VaI4
                                                                                                                            MD5:76D181A334D47872CD2E37135CC83F95
                                                                                                                            SHA1:B563370B023073CE6E0F63671AA4AF169ABBF4E1
                                                                                                                            SHA-256:52D831CC6F56C3A25EB9238AAF25348E1C4A3D361DFE7F99DB1D37D89A0057FD
                                                                                                                            SHA-512:23E0D43E4785E5686868D5448628718720C5A8D9328EE814CB77807260F7CDA2D01C5DEE8F58B5713F4F09319E6CB7AB24725078C01322BAE04777418A49A9F7
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanlgSFE9XfRUKm\8aQjHf7utHnSHistory

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):155648
                                                                                                                            Entropy (8bit):0.5407252242845243
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                            MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                            SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                            SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                            SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanlgSFE9XfRUKm\9V16nhm0bFZXWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):106496
                                                                                                                            Entropy (8bit):1.136471148832945
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                                                            MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                                                            SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                                                            SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                                                            SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanlgSFE9XfRUKm\D87fZN3R3jFeplaces.sqlite

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):5242880
                                                                                                                            Entropy (8bit):0.0357803477377646
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:58rJQaXoMXp0VW9FxWwJU0VnQphI1mJ/8GJK:58r54w0VW3xWB0VaI4
                                                                                                                            MD5:76D181A334D47872CD2E37135CC83F95
                                                                                                                            SHA1:B563370B023073CE6E0F63671AA4AF169ABBF4E1
                                                                                                                            SHA-256:52D831CC6F56C3A25EB9238AAF25348E1C4A3D361DFE7F99DB1D37D89A0057FD
                                                                                                                            SHA-512:23E0D43E4785E5686868D5448628718720C5A8D9328EE814CB77807260F7CDA2D01C5DEE8F58B5713F4F09319E6CB7AB24725078C01322BAE04777418A49A9F7
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanlgSFE9XfRUKm\EvDoFjSc27w4History

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):159744
                                                                                                                            Entropy (8bit):0.5394293526345721
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                            MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                            SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                            SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                            SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanlgSFE9XfRUKm\FQEh_xU7vRTGWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):196608
                                                                                                                            Entropy (8bit):1.1239949490932863
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                                                            MD5:271D5F995996735B01672CF227C81C17
                                                                                                                            SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                                                            SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                                                            SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanlgSFE9XfRUKm\JEr8lVONTEQKLogin Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):40960
                                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanlgSFE9XfRUKm\LmI4gt7uNt6lWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):106496
                                                                                                                            Entropy (8bit):1.136471148832945
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                                                            MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                                                            SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                                                            SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                                                            SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanlgSFE9XfRUKm\P8T1BgZgt5t1Cookies

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):20480
                                                                                                                            Entropy (8bit):0.6732424250451717
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                            MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                            SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                            SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                            SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanlgSFE9XfRUKm\RVFvq_w1ZQYbWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):106496
                                                                                                                            Entropy (8bit):1.136471148832945
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                                                            MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                                                            SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                                                            SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                                                            SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanlgSFE9XfRUKm\dn59MYeqcUJmWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):196608
                                                                                                                            Entropy (8bit):1.1239949490932863
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                                                            MD5:271D5F995996735B01672CF227C81C17
                                                                                                                            SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                                                            SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                                                            SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanlgSFE9XfRUKm\lKkvrLBG06UiLogin Data For Account

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):40960
                                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanlgSFE9XfRUKm\nQVbv3R1YjF8Cookies

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):20480
                                                                                                                            Entropy (8bit):0.8508558324143882
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                                                            MD5:933D6D14518371B212F36C3835794D75
                                                                                                                            SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                                                            SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                                                            SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanlgSFE9XfRUKm\oVix2UaWI8VCHistory

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):155648
                                                                                                                            Entropy (8bit):0.5407252242845243
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                            MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                            SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                            SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                            SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanlgSFE9XfRUKm\q58jgT3UDnoOWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):196608
                                                                                                                            Entropy (8bit):1.1239949490932863
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                                                            MD5:271D5F995996735B01672CF227C81C17
                                                                                                                            SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                                                            SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                                                            SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanlgSFE9XfRUKm\w07ebxHrMjWrHistory

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):159744
                                                                                                                            Entropy (8bit):0.5394293526345721
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                            MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                            SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                            SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                            SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanlgSFE9XfRUKm\wib805ADjjQsLogin Data

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):51200
                                                                                                                            Entropy (8bit):0.8745947603342119
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                                                            MD5:378391FDB591852E472D99DC4BF837DA
                                                                                                                            SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                                                            SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                                                            SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanuNssG0kGarHs\02zdBXl47cvzcookies.sqlite

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):98304
                                                                                                                            Entropy (8bit):0.08235737944063153
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                            MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                            SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                            SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                            SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanuNssG0kGarHs\1oBLao5WFReeLogin Data For Account

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):40960
                                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanuNssG0kGarHs\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):5242880
                                                                                                                            Entropy (8bit):0.0357803477377646
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:58rJQaXoMXp0VW9FxWwJU0VnQphI1mJ/8GJK:58r54w0VW3xWB0VaI4
                                                                                                                            MD5:76D181A334D47872CD2E37135CC83F95
                                                                                                                            SHA1:B563370B023073CE6E0F63671AA4AF169ABBF4E1
                                                                                                                            SHA-256:52D831CC6F56C3A25EB9238AAF25348E1C4A3D361DFE7F99DB1D37D89A0057FD
                                                                                                                            SHA-512:23E0D43E4785E5686868D5448628718720C5A8D9328EE814CB77807260F7CDA2D01C5DEE8F58B5713F4F09319E6CB7AB24725078C01322BAE04777418A49A9F7
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanuNssG0kGarHs\Bs1Rik95T3UPWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):196608
                                                                                                                            Entropy (8bit):1.1239949490932863
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                                                            MD5:271D5F995996735B01672CF227C81C17
                                                                                                                            SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                                                            SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                                                            SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanuNssG0kGarHs\D87fZN3R3jFeplaces.sqlite

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):5242880
                                                                                                                            Entropy (8bit):0.0357803477377646
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:58rJQaXoMXp0VW9FxWwJU0VnQphI1mJ/8GJK:58r54w0VW3xWB0VaI4
                                                                                                                            MD5:76D181A334D47872CD2E37135CC83F95
                                                                                                                            SHA1:B563370B023073CE6E0F63671AA4AF169ABBF4E1
                                                                                                                            SHA-256:52D831CC6F56C3A25EB9238AAF25348E1C4A3D361DFE7F99DB1D37D89A0057FD
                                                                                                                            SHA-512:23E0D43E4785E5686868D5448628718720C5A8D9328EE814CB77807260F7CDA2D01C5DEE8F58B5713F4F09319E6CB7AB24725078C01322BAE04777418A49A9F7
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanuNssG0kGarHs\F27iDkUSbUX4History

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):155648
                                                                                                                            Entropy (8bit):0.5407252242845243
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                            MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                            SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                            SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                            SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanuNssG0kGarHs\GoTBCXWsNltoCookies

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):20480
                                                                                                                            Entropy (8bit):0.8508558324143882
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                                                            MD5:933D6D14518371B212F36C3835794D75
                                                                                                                            SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                                                            SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                                                            SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanuNssG0kGarHs\IuMVYmRLxIIELogin Data

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):40960
                                                                                                                            Entropy (8bit):0.8553638852307782
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanuNssG0kGarHs\KsIfLLPbfavZWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):106496
                                                                                                                            Entropy (8bit):1.136471148832945
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                                                            MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                                                            SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                                                            SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                                                            SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanuNssG0kGarHs\SrMOR5IqDZZTCookies

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):20480
                                                                                                                            Entropy (8bit):0.6732424250451717
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                            MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                            SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                            SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                            SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanuNssG0kGarHs\TQL0dLOETHSsHistory

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):159744
                                                                                                                            Entropy (8bit):0.5394293526345721
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                            MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                            SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                            SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                            SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanuNssG0kGarHs\W4StvYRvRm8RLogin Data

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):51200
                                                                                                                            Entropy (8bit):0.8745947603342119
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                                                            MD5:378391FDB591852E472D99DC4BF837DA
                                                                                                                            SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                                                            SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                                                            SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanuNssG0kGarHs\djGL4gOVacKhHistory

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):159744
                                                                                                                            Entropy (8bit):0.5394293526345721
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                                            MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                                            SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                                            SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                                            SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanuNssG0kGarHs\e0WJiscSE76mWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):106496
                                                                                                                            Entropy (8bit):1.136471148832945
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                                                            MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                                                            SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                                                            SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                                                            SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanuNssG0kGarHs\uH4Klb1syK8iWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):106496
                                                                                                                            Entropy (8bit):1.136471148832945
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                                                            MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                                                            SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                                                            SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                                                            SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanuNssG0kGarHs\uyAd3P89yfWTHistory

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):155648
                                                                                                                            Entropy (8bit):0.5407252242845243
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                            MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                            SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                            SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                            SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanuNssG0kGarHs\vCcKyxUjjGyAWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):196608
                                                                                                                            Entropy (8bit):1.1239949490932863
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                                                            MD5:271D5F995996735B01672CF227C81C17
                                                                                                                            SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                                                            SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                                                            SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\spanuNssG0kGarHs\z81g9YDMLrJHWeb Data

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):196608
                                                                                                                            Entropy (8bit):1.1239949490932863
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                                                            MD5:271D5F995996735B01672CF227C81C17
                                                                                                                            SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                                                            SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                                                            SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                                                            Malicious:false
                                                                                                                            Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\trixylgSFE9XfRUKm\Cookies\Chrome_Default.txt

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:ASCII text, with very long lines (369), with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):530
                                                                                                                            Entropy (8bit):6.005544722730675
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12:c7F2v4kMx/6UsMbf4/LJPhvkRj6a9kuEYTCRopYxOOVtouEYv:SCJyHXbfQJPh8RdkYiFoYv
                                                                                                                            MD5:987FB1A1830B0EB5C0D306F8A2DE9981
                                                                                                                            SHA1:8374E6320AD99C3FF177A9889F1AB75448F6EB19
                                                                                                                            SHA-256:5EF24A6CE57CA3048431555909EC23CD5494DA76845F84271946442249DDA891
                                                                                                                            SHA-512:9E2A48264084B79051FC275DD7780A5552B56220459A1CDDBE6F6A307FE0E5759AE20BC243D085D9734153879AC4E66233AB83F92551DD8092EABF85B16F2D15
                                                                                                                            Malicious:false
                                                                                                                            Preview:.google.com.TRUE./.TRUE.1712298002.NID.ENC893*_djEwx6CLkXLg8AuSZWCgylmAsMNnd1LSfbcL+IfCgMvX/m5IrzdSwxt6X6n5S6C7wCoUoWvuixZpzrMizGZc5ohIpmsvlOrGTOhFkQ4+lCF6fVH0QNPBBb27o2nXM8em7EAYS1bYZC2LV04SqpgyxJmdfFA7UyWUoK8kFZQDRl0vdOzWdvAoumw2skuCCtJC2oG3z3OYbLTLDbM7wYvVmfDeqtnZRihAAt+ptqI6cfY1a+KO9XP+4XkDSXW7JhsexYHBqzSSBmUisGZ7f9E=_DrTFYLsM7YVgEN6pCv/RXeb8Bq748EwHbsLCIGv1kEc=*...google.com.FALSE./.TRUE.1699078840.1P_JAR.ENC893*_djEwZKzV9KAslchfQWnVTck71JHMVRC24lvAWgdl5WpYIXlINsbQSVWzkKU=_DrTFYLsM7YVgEN6pCv/RXeb8Bq748EwHbsLCIGv1kEc=*..

                                                                                                                            C:\Users\user\AppData\Local\Temp\trixylgSFE9XfRUKm\information.txt

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):6788
                                                                                                                            Entropy (8bit):5.454511401811121
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:xyONORzSJLcBC1IUlzhge+U8Acf99+KQeTw47OGhLfgAgkM4/DhPigy62/OA61Yg:xYRIL84IUlzhsB
                                                                                                                            MD5:06FC6A2B56EABC4E7CDD6DE8AC35FB9F
                                                                                                                            SHA1:88FE1D2F77ACBCCA7A7621611721CF6DD22CE3F9
                                                                                                                            SHA-256:B0E5B51EE03901CB820B662ADB6337F863E4272A5A06DF904ECE22EA2443BD97
                                                                                                                            SHA-512:1087D72E81BDC0017052B73839F034C9935AF7EC8545A9B61EA1927E17DFFABD555B1D2F5BE96D0084A5C2336416A0683C8B90C9FCCC22DA99B15BAB7ED78245
                                                                                                                            Malicious:false
                                                                                                                            Preview:Build: combo..Version: 2.0....Date: Tue May 7 01:32:17 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 904752e9437da3bfff870d09bb5572b2....Path: C:\Users\user\Desktop\bUHMq54m6Q.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixylgSFE9XfRUKm....IP: 156.146.37.102..Location: US, New York City..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 390120 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 7/5/2024 1:32:17..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [328]..csrss.exe [412]..wininit.exe [488]..csrss.exe [496]..winlogon.exe [560]..services.exe [632]..lsass.exe [652]..svchost.exe [752]..fontdrvhost.exe [780]..fontd

                                                                                                                            C:\Users\user\AppData\Local\Temp\trixylgSFE9XfRUKm\passwords.txt

                                                                                                                            Download File
                                                                                                                            Process:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):4897
                                                                                                                            Entropy (8bit):2.518316437186352
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                            MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                            SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                            SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                            SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                            Malicious:false
                                                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Users\user\AppData\Local\Temp\trixyuNssG0kGarHs\Cookies\Chrome_Default.txt

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:ASCII text, with very long lines (369), with CRLF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):530
                                                                                                                            Entropy (8bit):6.005544722730675
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12:c7F2v4kMx/6UsMbf4/LJPhvkRj6a9kuEYTCRopYxOOVtouEYv:SCJyHXbfQJPh8RdkYiFoYv
                                                                                                                            MD5:987FB1A1830B0EB5C0D306F8A2DE9981
                                                                                                                            SHA1:8374E6320AD99C3FF177A9889F1AB75448F6EB19
                                                                                                                            SHA-256:5EF24A6CE57CA3048431555909EC23CD5494DA76845F84271946442249DDA891
                                                                                                                            SHA-512:9E2A48264084B79051FC275DD7780A5552B56220459A1CDDBE6F6A307FE0E5759AE20BC243D085D9734153879AC4E66233AB83F92551DD8092EABF85B16F2D15
                                                                                                                            Malicious:false
                                                                                                                            Preview:.google.com.TRUE./.TRUE.1712298002.NID.ENC893*_djEwx6CLkXLg8AuSZWCgylmAsMNnd1LSfbcL+IfCgMvX/m5IrzdSwxt6X6n5S6C7wCoUoWvuixZpzrMizGZc5ohIpmsvlOrGTOhFkQ4+lCF6fVH0QNPBBb27o2nXM8em7EAYS1bYZC2LV04SqpgyxJmdfFA7UyWUoK8kFZQDRl0vdOzWdvAoumw2skuCCtJC2oG3z3OYbLTLDbM7wYvVmfDeqtnZRihAAt+ptqI6cfY1a+KO9XP+4XkDSXW7JhsexYHBqzSSBmUisGZ7f9E=_DrTFYLsM7YVgEN6pCv/RXeb8Bq748EwHbsLCIGv1kEc=*...google.com.FALSE./.TRUE.1699078840.1P_JAR.ENC893*_djEwZKzV9KAslchfQWnVTck71JHMVRC24lvAWgdl5WpYIXlINsbQSVWzkKU=_DrTFYLsM7YVgEN6pCv/RXeb8Bq748EwHbsLCIGv1kEc=*..

                                                                                                                            C:\Users\user\AppData\Local\Temp\trixyuNssG0kGarHs\information.txt

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):6763
                                                                                                                            Entropy (8bit):5.453486822202273
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:xysBORzSLcBC1IUlzhge+U8Acf99+KQeTw47OGhLfgAgkM4/DhPigy62/OA61YLv:xWRW84IUlzhPB
                                                                                                                            MD5:B8958E5F1DE6D63E8AC54C767F4BEF84
                                                                                                                            SHA1:C4B15EDB99B71BA90A811636B2CAEC9EAC30EC90
                                                                                                                            SHA-256:A07F9B147FBCC63536AFE4F3F3D7294E1BD64105A4EEBEB2663322F5C6882F61
                                                                                                                            SHA-512:6BCB2BC14DA4740C943A3EFDF0286183C12A4AE7338281B4EFCCA8DC471C4CA633C0FA9945EB2B7F8E2AFB5EF9FEA032AD11E468C059DE1DD6A0897DABF83365
                                                                                                                            Malicious:false
                                                                                                                            Preview:Build: combo..Version: 2.0....Date: Tue May 7 01:32:20 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 904752e9437da3bfff870d09bb5572b2....Path: C:\ProgramData\MPGPH131\MPGPH131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixyuNssG0kGarHs....IP: 156.146.37.102..Location: US, New York City..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 390120 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 7/5/2024 1:32:20..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [328]..csrss.exe [412]..wininit.exe [488]..csrss.exe [496]..winlogon.exe [560]..services.exe [632]..lsass.exe [652]..svchost.exe [752]..fontdrvhost.exe [780]..fontdrvho

                                                                                                                            C:\Users\user\AppData\Local\Temp\trixyuNssG0kGarHs\passwords.txt

                                                                                                                            Download File
                                                                                                                            Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):4897
                                                                                                                            Entropy (8bit):2.518316437186352
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                            MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                            SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                            SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                            SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                            Malicious:false
                                                                                                                            Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):1835008
                                                                                                                            Entropy (8bit):4.47233161646703
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:6144:kzZfpi6ceLPx9skLmb0fvZWSP3aJG8nAgeiJRMMhA2zX4WABluuNWjDH5S:KZHtvZWOKnMM6bFpMj4
                                                                                                                            MD5:7089E7B13B3F7D5480AC10E9FC9BC7BD
                                                                                                                            SHA1:B80DCAABFC25F3670FA3EF3D0892CCFB4687B462
                                                                                                                            SHA-256:1440607BC822FC949BE90C3A333B2C52EF52E3F0ADFE88A9D28AD0FFC23F5272
                                                                                                                            SHA-512:AE6085618880C9A12125CADB435C05F5ACF31739DE941DD330E040C0339730E2E37C61EAD3A41DEE36AED981B3A9078102D4EDF86B4F86A4AD5DE879E7143183
                                                                                                                            Malicious:false
                                                                                                                            Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..O.................................................................................................................................................................................................................................................................................................................................................99X.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                            Static File Info

                                                                                                                            General

                                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                            Entropy (8bit):7.943949707127546
                                                                                                                            TrID:
                                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                            File name:bUHMq54m6Q.exe
                                                                                                                            File size:2'298'896 bytes
                                                                                                                            MD5:2cf4b5cf327757376e717ab5554b921b
                                                                                                                            SHA1:020751e48f382dbd25341228e0acf66818428b12
                                                                                                                            SHA256:a275c369ef53eba4655ca43244e230fd7b38e45dbf25fc0b614918a58b3d07a6
                                                                                                                            SHA512:ceccbeaf87660ea08d9bdc5804546c16a2abea4f73c8f80345e711cf5c4a8ab9330ca64022b890457187bde83de2687177cb50c1a4fc1bf9d49054510e2418fa
                                                                                                                            SSDEEP:49152:JZZ2yJFMXgNp/R21ABbgdThoxEN2lcHmNNQfwo:JZZF7N1ROABbgdThog24fwo
                                                                                                                            TLSH:81B533E824E3CFADD275EBF22503911944606F61DFE24BC4B24F696DABE264D437031A
                                                                                                                            File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

                                                                                                                            File Icon

                                                                                                                            Icon Hash:1e637808c76c1d83

                                                                                                                            Static PE Info

                                                                                                                            General

                                                                                                                            Entrypoint:0x906058
                                                                                                                            Entrypoint Section:.boot
                                                                                                                            Digitally signed:false
                                                                                                                            Imagebase:0x400000
                                                                                                                            Subsystem:windows gui
                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                            Time Stamp:0x663639CA [Sat May 4 13:36:10 2024 UTC]
                                                                                                                            TLS Callbacks:
                                                                                                                            CLR (.Net) Version:
                                                                                                                            OS Version Major:6
                                                                                                                            OS Version Minor:0
                                                                                                                            File Version Major:6
                                                                                                                            File Version Minor:0
                                                                                                                            Subsystem Version Major:6
                                                                                                                            Subsystem Version Minor:0
                                                                                                                            Import Hash:63814aaf116ba6abb6496ce4bcad24c6

                                                                                                                            Entrypoint Preview

                                                                                                                            Instruction
                                                                                                                            call 00007FA7CD44E5F0h
                                                                                                                            push ebx
                                                                                                                            mov ebx, esp
                                                                                                                            push ebx
                                                                                                                            mov esi, dword ptr [ebx+08h]
                                                                                                                            mov edi, dword ptr [ebx+10h]
                                                                                                                            cld
                                                                                                                            mov dl, 80h
                                                                                                                            mov al, byte ptr [esi]
                                                                                                                            inc esi
                                                                                                                            mov byte ptr [edi], al
                                                                                                                            inc edi
                                                                                                                            mov ebx, 00000002h
                                                                                                                            add dl, dl
                                                                                                                            jne 00007FA7CD44E4A7h
                                                                                                                            mov dl, byte ptr [esi]
                                                                                                                            inc esi
                                                                                                                            adc dl, dl
                                                                                                                            jnc 00007FA7CD44E48Ch
                                                                                                                            add dl, dl
                                                                                                                            jne 00007FA7CD44E4A7h
                                                                                                                            mov dl, byte ptr [esi]
                                                                                                                            inc esi
                                                                                                                            adc dl, dl
                                                                                                                            jnc 00007FA7CD44E4F3h
                                                                                                                            xor eax, eax
                                                                                                                            add dl, dl
                                                                                                                            jne 00007FA7CD44E4A7h
                                                                                                                            mov dl, byte ptr [esi]
                                                                                                                            inc esi
                                                                                                                            adc dl, dl
                                                                                                                            jnc 00007FA7CD44E587h
                                                                                                                            add dl, dl
                                                                                                                            jne 00007FA7CD44E4A7h
                                                                                                                            mov dl, byte ptr [esi]
                                                                                                                            inc esi
                                                                                                                            adc dl, dl
                                                                                                                            adc eax, eax
                                                                                                                            add dl, dl
                                                                                                                            jne 00007FA7CD44E4A7h
                                                                                                                            mov dl, byte ptr [esi]
                                                                                                                            inc esi
                                                                                                                            adc dl, dl
                                                                                                                            adc eax, eax
                                                                                                                            add dl, dl
                                                                                                                            jne 00007FA7CD44E4A7h
                                                                                                                            mov dl, byte ptr [esi]
                                                                                                                            inc esi
                                                                                                                            adc dl, dl
                                                                                                                            adc eax, eax
                                                                                                                            add dl, dl
                                                                                                                            jne 00007FA7CD44E4A7h
                                                                                                                            mov dl, byte ptr [esi]
                                                                                                                            inc esi
                                                                                                                            adc dl, dl
                                                                                                                            adc eax, eax
                                                                                                                            je 00007FA7CD44E4AAh
                                                                                                                            push edi
                                                                                                                            mov eax, eax
                                                                                                                            sub edi, eax
                                                                                                                            mov al, byte ptr [edi]
                                                                                                                            pop edi
                                                                                                                            mov byte ptr [edi], al
                                                                                                                            inc edi
                                                                                                                            mov ebx, 00000002h
                                                                                                                            jmp 00007FA7CD44E43Bh
                                                                                                                            mov eax, 00000001h
                                                                                                                            add dl, dl
                                                                                                                            jne 00007FA7CD44E4A7h
                                                                                                                            mov dl, byte ptr [esi]
                                                                                                                            inc esi
                                                                                                                            adc dl, dl
                                                                                                                            adc eax, eax
                                                                                                                            add dl, dl
                                                                                                                            jne 00007FA7CD44E4A7h
                                                                                                                            mov dl, byte ptr [esi]
                                                                                                                            inc esi
                                                                                                                            adc dl, dl
                                                                                                                            jc 00007FA7CD44E48Ch
                                                                                                                            sub eax, ebx
                                                                                                                            mov ebx, 00000001h
                                                                                                                            jne 00007FA7CD44E4CAh
                                                                                                                            mov ecx, 00000001h
                                                                                                                            add dl, dl
                                                                                                                            jne 00007FA7CD44E4A7h
                                                                                                                            mov dl, byte ptr [esi]
                                                                                                                            inc esi
                                                                                                                            adc dl, dl
                                                                                                                            adc ecx, ecx
                                                                                                                            add dl, dl
                                                                                                                            jne 00007FA7CD44E4A7h
                                                                                                                            mov dl, byte ptr [esi]
                                                                                                                            inc esi
                                                                                                                            adc dl, dl
                                                                                                                            jc 00007FA7CD44E48Ch
                                                                                                                            push esi
                                                                                                                            mov esi, edi
                                                                                                                            sub esi, ebp

                                                                                                                            Data Directories

                                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x1a518b0x184.idata
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a70000xc8c0.rsrc
                                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x68e0000x10.reloc
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x1a60180x18.tls
                                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x18369c0x40
                                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                            Sections

                                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                            0x10000x15bae80x8000071df898e3bb7791f76e12ed59326dcd2False1.000030517578125data7.99965539534534IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                            0x15d0000x27e320xc600d46b2925dda747e309f73efc7cfe5f72False0.9986979166666666data7.995213678819302IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                            0x1850000x49300x8003418c8de7b7967df6bb6c2c10ed53efbFalse0.9267578125data7.434788372867102IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            0x18a0000xc8c00x7200ab55f75c506de7bda0f6900ce3592598False0.9992461622807017interLaced eXtensible Trace (LXT) file (Version 19394)7.990156009217108IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                            0x1970000x98580x4c00b115c4aeaf5dbd0a5ed6289fe244caf5False0.9952713815789473OpenPGP Public Key7.97673825198549IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                            .vm_sec0x1a10000x40000x4000260e2630b7c17aea8fcc14acc331fbdcFalse0.1627197265625data2.8943699511117487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            .idata0x1a50000x10000x400c9c064d6bd76a21fe27ddabad4c1bad5False0.3994140625data3.405869808210115IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            .tls0x1a60000x10000x200e0820cafed729136bac879e4277031adFalse0.056640625data0.18120187678200297IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            .rsrc0x1a70000xca000xca00128d0357f9cf8c6ae4deac65154bce26False0.6009243502475248DIY-Thermocam raw data (Lepton 2.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 4795470227181741839890482462720.0000005.557009435024348IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                            .themida0x1b40000x3520000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                            .boot0x5060000x1874000x187400c1e1fc63d9c36264abf090352999e312False0.9858744758386582data7.954415800190369IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                            .reloc0x68e0000x10000x109a86cd9aad32621e9b3fc39ac1644b9cFalse1.5GLS_BINARY_LSB_FIRST2.474601752714581IMAGE_SCN_MEM_READ

                                                                                                                            Resources

                                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                            RT_ICON0x1a72800x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152RussianRussia0.31402439024390244
                                                                                                                            RT_ICON0x1a78f80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512RussianRussia0.42338709677419356
                                                                                                                            RT_ICON0x1a7bf00x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288RussianRussia0.5061475409836066
                                                                                                                            RT_ICON0x1a7de80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128RussianRussia0.5675675675675675
                                                                                                                            RT_ICON0x1a7f200xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsRussianRussia0.46961620469083154
                                                                                                                            RT_ICON0x1a8dd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsRussianRussia0.4020758122743682
                                                                                                                            RT_ICON0x1a96900x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsRussianRussia0.45506912442396313
                                                                                                                            RT_ICON0x1a9d680x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsRussianRussia0.2904624277456647
                                                                                                                            RT_ICON0x1aa2e00x4b55PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedRussianRussia0.9921182266009853
                                                                                                                            RT_ICON0x1aee480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600RussianRussia0.316701244813278
                                                                                                                            RT_ICON0x1b14000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia0.36186679174484054
                                                                                                                            RT_ICON0x1b24b80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400RussianRussia0.42418032786885246
                                                                                                                            RT_ICON0x1b2e500x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia0.5026595744680851
                                                                                                                            RT_GROUP_ICON0x1b32c80xbcdataRussianRussia0.6170212765957447
                                                                                                                            RT_VERSION0x1b33940x398OpenPGP Public KeyRussianRussia0.42282608695652174
                                                                                                                            RT_MANIFEST0x1b373c0x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                                            Imports

                                                                                                                            DLLImport
                                                                                                                            kernel32.dllGetModuleHandleA
                                                                                                                            USER32.dllwsprintfA
                                                                                                                            GDI32.dllCreateCompatibleBitmap
                                                                                                                            ADVAPI32.dllRegQueryValueExA
                                                                                                                            SHELL32.dllShellExecuteA
                                                                                                                            ole32.dllCoInitialize
                                                                                                                            WS2_32.dllWSAStartup
                                                                                                                            CRYPT32.dllCryptUnprotectData
                                                                                                                            SHLWAPI.dllPathFindExtensionA
                                                                                                                            gdiplus.dllGdipGetImageEncoders
                                                                                                                            SETUPAPI.dllSetupDiEnumDeviceInfo
                                                                                                                            ntdll.dllRtlUnicodeStringToAnsiString
                                                                                                                            RstrtMgr.DLLRmStartSession

                                                                                                                            Possible Origin

                                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                                            RussianRussia
                                                                                                                            EnglishUnited States

                                                                                                                            Network Behavior

                                                                                                                            Snort IDS Alerts

                                                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                            05/07/24-01:32:16.104894TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949703147.45.47.126192.168.2.6
                                                                                                                            05/07/24-01:32:30.432420TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949720147.45.47.126192.168.2.6
                                                                                                                            05/07/24-01:32:13.660877TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949699147.45.47.126192.168.2.6
                                                                                                                            05/07/24-01:32:13.858546TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949699147.45.47.126192.168.2.6
                                                                                                                            05/07/24-01:32:16.124524TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949702147.45.47.126192.168.2.6
                                                                                                                            05/07/24-01:32:13.477244TCP2049060ET TROJAN RisePro TCP Heartbeat Packet4969958709192.168.2.6147.45.47.126
                                                                                                                            05/07/24-01:32:19.524067TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4969958709192.168.2.6147.45.47.126
                                                                                                                            05/07/24-01:32:39.555621TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949724147.45.47.126192.168.2.6

                                                                                                                            Network Port Distribution

                                                                                                                            TCP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            May 7, 2024 01:32:13.278567076 CEST4969958709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:13.469449043 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:13.469577074 CEST4969958709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:13.477243900 CEST4969958709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:13.660876989 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:13.667802095 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:13.667845964 CEST4969958709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:13.783052921 CEST4969958709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:13.858546019 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:13.907537937 CEST4969958709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:14.020678043 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:14.139029026 CEST49700443192.168.2.634.117.186.192
                                                                                                                            May 7, 2024 01:32:14.139059067 CEST4434970034.117.186.192192.168.2.6
                                                                                                                            May 7, 2024 01:32:14.139132977 CEST49700443192.168.2.634.117.186.192
                                                                                                                            May 7, 2024 01:32:14.142656088 CEST49700443192.168.2.634.117.186.192
                                                                                                                            May 7, 2024 01:32:14.142673969 CEST4434970034.117.186.192192.168.2.6
                                                                                                                            May 7, 2024 01:32:14.329277992 CEST4434970034.117.186.192192.168.2.6
                                                                                                                            May 7, 2024 01:32:14.329396009 CEST49700443192.168.2.634.117.186.192
                                                                                                                            May 7, 2024 01:32:14.333462000 CEST49700443192.168.2.634.117.186.192
                                                                                                                            May 7, 2024 01:32:14.333468914 CEST4434970034.117.186.192192.168.2.6
                                                                                                                            May 7, 2024 01:32:14.334161997 CEST4434970034.117.186.192192.168.2.6
                                                                                                                            May 7, 2024 01:32:14.376305103 CEST49700443192.168.2.634.117.186.192
                                                                                                                            May 7, 2024 01:32:14.421844959 CEST49700443192.168.2.634.117.186.192
                                                                                                                            May 7, 2024 01:32:14.468121052 CEST4434970034.117.186.192192.168.2.6
                                                                                                                            May 7, 2024 01:32:14.540182114 CEST4434970034.117.186.192192.168.2.6
                                                                                                                            May 7, 2024 01:32:14.540312052 CEST4434970034.117.186.192192.168.2.6
                                                                                                                            May 7, 2024 01:32:14.540374994 CEST49700443192.168.2.634.117.186.192
                                                                                                                            May 7, 2024 01:32:14.542649031 CEST49700443192.168.2.634.117.186.192
                                                                                                                            May 7, 2024 01:32:14.542665005 CEST4434970034.117.186.192192.168.2.6
                                                                                                                            May 7, 2024 01:32:14.542674065 CEST49700443192.168.2.634.117.186.192
                                                                                                                            May 7, 2024 01:32:14.542680025 CEST4434970034.117.186.192192.168.2.6
                                                                                                                            May 7, 2024 01:32:14.632894993 CEST49701443192.168.2.6104.26.4.15
                                                                                                                            May 7, 2024 01:32:14.632950068 CEST44349701104.26.4.15192.168.2.6
                                                                                                                            May 7, 2024 01:32:14.633013964 CEST49701443192.168.2.6104.26.4.15
                                                                                                                            May 7, 2024 01:32:14.633465052 CEST49701443192.168.2.6104.26.4.15
                                                                                                                            May 7, 2024 01:32:14.633486032 CEST44349701104.26.4.15192.168.2.6
                                                                                                                            May 7, 2024 01:32:14.817739010 CEST44349701104.26.4.15192.168.2.6
                                                                                                                            May 7, 2024 01:32:14.817826986 CEST49701443192.168.2.6104.26.4.15
                                                                                                                            May 7, 2024 01:32:14.820949078 CEST49701443192.168.2.6104.26.4.15
                                                                                                                            May 7, 2024 01:32:14.820969105 CEST44349701104.26.4.15192.168.2.6
                                                                                                                            May 7, 2024 01:32:14.821257114 CEST44349701104.26.4.15192.168.2.6
                                                                                                                            May 7, 2024 01:32:14.822922945 CEST49701443192.168.2.6104.26.4.15
                                                                                                                            May 7, 2024 01:32:14.864126921 CEST44349701104.26.4.15192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.073194981 CEST44349701104.26.4.15192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.073291063 CEST44349701104.26.4.15192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.073404074 CEST49701443192.168.2.6104.26.4.15
                                                                                                                            May 7, 2024 01:32:15.075107098 CEST49701443192.168.2.6104.26.4.15
                                                                                                                            May 7, 2024 01:32:15.075129032 CEST44349701104.26.4.15192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.075156927 CEST49701443192.168.2.6104.26.4.15
                                                                                                                            May 7, 2024 01:32:15.075164080 CEST44349701104.26.4.15192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.075567961 CEST4969958709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:15.303148031 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.315984011 CEST4969958709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:15.526426077 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.532722950 CEST4969958709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:15.723454952 CEST4970258709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:15.724183083 CEST4970358709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:15.733865023 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.733885050 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.733897924 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.733911037 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.733928919 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.733941078 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.733961105 CEST4969958709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:15.733983040 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.733995914 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.734019995 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.734021902 CEST4969958709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:15.734035015 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.734064102 CEST4969958709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:15.734191895 CEST4969958709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:15.913988113 CEST5870949702147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.914170027 CEST4970258709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:15.914343119 CEST5870949703147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.914413929 CEST4970358709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:15.924654007 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.924668074 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.924679041 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.924695015 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.924706936 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.924717903 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:15.924746037 CEST4969958709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:15.924808025 CEST4969958709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:15.930231094 CEST4970358709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:15.931149960 CEST4970258709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:15.970340967 CEST4969958709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:16.104893923 CEST5870949703147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:16.124524117 CEST5870949702147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:16.157565117 CEST4970358709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:16.162386894 CEST5870949703147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:16.165083885 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:16.173194885 CEST4970258709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:16.188956976 CEST4969958709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:16.347762108 CEST5870949703147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:16.363729000 CEST5870949702147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:16.386547089 CEST5870949699147.45.47.126192.168.2.6
                                                                                                                            May 7, 2024 01:32:16.391907930 CEST4970358709192.168.2.6147.45.47.126
                                                                                                                            May 7, 2024 01:32:16.399765015 CEST49704443192.168.2.634.117.186.192
                                                                                                                            May 7, 2024 01:32:16.399806023 CEST4434970434.117.186.192192.168.2.6
                                                                                                                            May 7, 2024 01:32:16.399882078 CEST49704443192.168.2.634.117.186.192

                                                                                                                            UDP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            May 7, 2024 01:32:14.047110081 CEST5716553192.168.2.61.1.1.1
                                                                                                                            May 7, 2024 01:32:14.132601976 CEST53571651.1.1.1192.168.2.6
                                                                                                                            May 7, 2024 01:32:14.544753075 CEST5560853192.168.2.61.1.1.1
                                                                                                                            May 7, 2024 01:32:14.631848097 CEST53556081.1.1.1192.168.2.6
                                                                                                                            May 7, 2024 01:32:40.073369980 CEST6498253192.168.2.61.1.1.1
                                                                                                                            May 7, 2024 01:32:40.159960032 CEST53649821.1.1.1192.168.2.6

                                                                                                                            DNS Queries

                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                            May 7, 2024 01:32:14.047110081 CEST192.168.2.61.1.1.10xee9bStandard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                                                                                                            May 7, 2024 01:32:14.544753075 CEST192.168.2.61.1.1.10x3800Standard query (0)db-ip.comA (IP address)IN (0x0001)false
                                                                                                                            May 7, 2024 01:32:40.073369980 CEST192.168.2.61.1.1.10x7a90Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false

                                                                                                                            DNS Answers

                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                            May 7, 2024 01:32:14.132601976 CEST1.1.1.1192.168.2.60xee9bNo error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false
                                                                                                                            May 7, 2024 01:32:14.631848097 CEST1.1.1.1192.168.2.60x3800No error (0)db-ip.com104.26.4.15A (IP address)IN (0x0001)false
                                                                                                                            May 7, 2024 01:32:14.631848097 CEST1.1.1.1192.168.2.60x3800No error (0)db-ip.com104.26.5.15A (IP address)IN (0x0001)false
                                                                                                                            May 7, 2024 01:32:14.631848097 CEST1.1.1.1192.168.2.60x3800No error (0)db-ip.com172.67.75.166A (IP address)IN (0x0001)false
                                                                                                                            May 7, 2024 01:32:40.159960032 CEST1.1.1.1192.168.2.60x7a90No error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false

                                                                                                                            HTTP Request Dependency Graph

                                                                                                                            • https:
                                                                                                                              • ipinfo.io
                                                                                                                            • db-ip.com

                                                                                                                            Statistics

                                                                                                                            Behavior

                                                                                                                            Click to jump to process

                                                                                                                            System Behavior

                                                                                                                            General

                                                                                                                            Target ID:0
                                                                                                                            Start time:01:32:10
                                                                                                                            Start date:07/05/2024
                                                                                                                            Path:C:\Users\user\Desktop\bUHMq54m6Q.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Users\user\Desktop\bUHMq54m6Q.exe"
                                                                                                                            Imagebase:0x510000
                                                                                                                            File size:2'298'896 bytes
                                                                                                                            MD5 hash:2CF4B5CF327757376E717AB5554B921B
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.2159759925.0000000005C56000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2276746268.000000000122E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2280792333.0000000005C5F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2280715188.0000000005C30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:2
                                                                                                                            Start time:01:32:12
                                                                                                                            Start date:07/05/2024
                                                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                                                                                                            Imagebase:0x1e0000
                                                                                                                            File size:187'904 bytes
                                                                                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:3
                                                                                                                            Start time:01:32:12
                                                                                                                            Start date:07/05/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff66e660000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:4
                                                                                                                            Start time:01:32:12
                                                                                                                            Start date:07/05/2024
                                                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                                                                                                            Imagebase:0x1e0000
                                                                                                                            File size:187'904 bytes
                                                                                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:5
                                                                                                                            Start time:01:32:12
                                                                                                                            Start date:07/05/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff66e660000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:6
                                                                                                                            Start time:01:32:12
                                                                                                                            Start date:07/05/2024
                                                                                                                            Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            Imagebase:0xf00000
                                                                                                                            File size:2'298'896 bytes
                                                                                                                            MD5 hash:2CF4B5CF327757376E717AB5554B921B
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000002.2282419782.0000000005A70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            Antivirus matches:
                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                            • Detection: 47%, ReversingLabs
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:7
                                                                                                                            Start time:01:32:13
                                                                                                                            Start date:07/05/2024
                                                                                                                            Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                            Imagebase:0xf00000
                                                                                                                            File size:2'298'896 bytes
                                                                                                                            MD5 hash:2CF4B5CF327757376E717AB5554B921B
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:10
                                                                                                                            Start time:01:32:21
                                                                                                                            Start date:07/05/2024
                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6556 -s 1888
                                                                                                                            Imagebase:0x970000
                                                                                                                            File size:483'680 bytes
                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:13
                                                                                                                            Start time:01:32:24
                                                                                                                            Start date:07/05/2024
                                                                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 1148
                                                                                                                            Imagebase:0x970000
                                                                                                                            File size:483'680 bytes
                                                                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:14
                                                                                                                            Start time:01:32:25
                                                                                                                            Start date:07/05/2024
                                                                                                                            Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                                                                                                            Imagebase:0x360000
                                                                                                                            File size:2'298'896 bytes
                                                                                                                            MD5 hash:2CF4B5CF327757376E717AB5554B921B
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Antivirus matches:
                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                            • Detection: 47%, ReversingLabs
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:18
                                                                                                                            Start time:01:32:35
                                                                                                                            Start date:07/05/2024
                                                                                                                            Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                                                                                                            Imagebase:0x360000
                                                                                                                            File size:2'298'896 bytes
                                                                                                                            MD5 hash:2CF4B5CF327757376E717AB5554B921B
                                                                                                                            Has elevated privileges:false
                                                                                                                            Has administrator privileges:false
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:low
                                                                                                                            Has exited:true

                                                                                                                            Disassembly

                                                                                                                            No disassembly